mod-security-developers — Development discussion about mod_security

[Mod-security-developers] ModSecurity version 2.9.0 announcement

[Felipe C. <FC...@tr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I am proud to announce our release for the version 2.9.0.
This version 2.9.0 contains fixes.

Complete list of changes from 2.8.0 to 2.9.0 is available here:
- - https://github.com/SpiderLabs/ModSecurity/releases

The source and binaries (and the respective hashes) are available at:
- - https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0

SHA256(modsecurity-2.9.0.tar.gz)= e2bbf789966c1f80094d88d9085a81bde082b2054f8e38e0db571ca49208f434
SHA256(ModSecurityIIS_2.9.0-32b.msi)= 3e7fc5e48c43738352935a2cc58dcd9272ed9e6d8ef4f6d57609183bcc443a57
SHA256(ModSecurityIIS_2.9.0-64b.msi)= cda1abf2c2e6f58b4dd33f4a16ab84c8b861663957dbdc2cf8ad7a4df1ad6645

We would like to thank you all that helped to test the release candidate
one and two, a really great job. Thanks!

The most important change from v2.9.0-RC2 to v2.9.0:


* Fix apr_crypto.h include, now checking if apr_crypto.h is available by
  checking the definition WITH_APU_CRYPTO.
  [martinjina and ModSecurity team]


Br,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlTdKE0ACgkQ5t+wjOixEneqRACfVzlUqLp47iwr5rCIeInsnSs9
TYIAn1o6ITjGI8oR1mxBeVSsOc25u5Jd
=/agZ
-----END PGP SIGNATURE-----

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] [mod-security-packagers] ModSecurity version 2.9.0-RC2 announcement

[Walter H. <mo...@sp...>]

Hi Felipe,

I haven’t found any regressions so far although I haven’t put it in production yet. So that date looks good!

It would be very much appreciated if you could briefly look at my thread "RESPONSE_BODY matching fails with gzip encoding on Ubuntu” on -users list, although this problem also occurs on 2.7.7. It might be a bug, if so, it would be nice to catch it in time.

Cheers!
WH


> On 05 Jan 2015, at 19:23, Felipe Costa <FC...@tr...> wrote:
> 
> Hi Walter,
> 
> Thank you for your feedback!! Best wishes in 2015.
> 
> Waiting for your OK before release 2.9.0. My guess is that 19 of January
> is a good date for 2.9.0 release.
> 
> 
> Br.,
> Felipe "Zimmerle" Costa
> Security Researcher, SpiderLabs
> 
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
> 
> 
> 
> 
> 
> From: Walter Hop [mo...@sp...]
> 
> Sent: Monday, December 29, 2014 7:32 PM
> 
> To: mod...@li...
> 
> Cc: mod...@li...
> 
> Subject: Re: [mod-security-packagers] ModSecurity version 2.9.0-RC2 announcement
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> I gave the RC2 some quality time. It looks very good so far!
> 
> 
> 
> 
> 
> Fixed issues I’ve had with -RC1:
> 
> 
> 
> - Failures in @pmFromFile, @ipMatchFromFile and SecRemoteRules: works OK now!
> 
> - @fuzzyHash rule doesn't fire: works OK now! This problem was likely due to bugs in the old ssdeep version (FreeBSD bug #195720). ssdeep was updated to 2.12 on Dec 13rd, so the timing is perfect.
> 
> - Persistent crashes in acmp_btree_find: seems to have been a FreeBSD 10.0 issue with all versions, works OK on FreeBSD 9.3 and 10.1. FreeBSD 10.0 will go out of support in February anyway.
> 
> - httpd crash on every request when using Lua 5.2: Assuming Lua 5.2 is not supported fully for now (Github issue #814). I will just depend on Lua 5.1. This is not an urgent problem, as lua51/lua52 packages can coexist peacefully.
> 
> 
> 
> 
> One small unfixed issue remains:
> 
> - Apache log module prefix: not fixed, note that it still says '[:notice]', but this is a small issue at worst. [Mon Dec 29 21:44:18.001193 2014] [:notice] [pid 56448] ModSecurity for Apache/2.9.0-RC2 (http://www.modsecurity.org/)
> configured.
> 
> 
> 
> 
> 
> I will try the RC2 on some internal systems over the next week (including some Debian), so it’s possible some other stuff will turn up, but it’s feeling very stable so far!
> 
> 
> 
> 
> Thanks for the hard work and the fixes, and best wishes for 2015 :)
> 
> 
> 
> 
> WH
> 
> 
> 
> 
> 
> 
> 
> 
> On 16 Dec 2014, at 01:35, Felipe Costa <FC...@tr...> wrote:
> 
> 
> 
> 
> 
> I am proud to announce our second release candidate for version 2.9.0.
> 
> 
> The 2.9.0-RC2 contains fixes and improvements.
> 
> 
> 
> 
> 
> 
> The source and binaries (and the respective hashes) are available at:
> 
> 
> https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc2
> 
> 
> 
> 
> 
> 
> SHA256(modsecurity-2.9.0-RC2.tar.gz)= 62bfb04d459a8308bb6850102c9d8f0cca250207749ce5b9465344dda2419993
> 
> 
> SHA256(ModSecurityIIS_2.9.0-RC2-32b.msi)= 364a55d2ff6981479694184eaec26404f294ac2131e8494ff478ae5e1aee33d6
> 
> 
> SHA256(ModSecurityIIS_2.9.0-RC2-64b.msi)= c5c90fb5eae5d819f641989bcfb2b4230506fb4bb8065034ef0684b8694585dd
> 
> 
> 
> 
> 
> 
> 
> 
> --
> Walter Hop | PGP key: https://lifeforms.nl/pgp
> 
> 
> 
> 
> 
> 
> ________________________________
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp

Re: [Mod-security-developers] [mod-security-packagers] ModSecurity version 2.9.0-RC2 announcement

[Felipe C. <FC...@tr...>]

Hi Walter,

Thank you for your feedback!! Best wishes in 2015.

Waiting for your OK before release 2.9.0. My guess is that 19 of January
is a good date for 2.9.0 release.


Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>





From: Walter Hop [mo...@sp...]

Sent: Monday, December 29, 2014 7:32 PM

To: mod...@li...

Cc: mod...@li...

Subject: Re: [mod-security-packagers] ModSecurity version 2.9.0-RC2 announcement











I gave the RC2 some quality time. It looks very good so far!





Fixed issues I’ve had with -RC1:



- Failures in @pmFromFile, @ipMatchFromFile and SecRemoteRules: works OK now!

- @fuzzyHash rule doesn't fire: works OK now! This problem was likely due to bugs in the old ssdeep version (FreeBSD bug #195720). ssdeep was updated to 2.12 on Dec 13rd, so the timing is perfect.

- Persistent crashes in acmp_btree_find: seems to have been a FreeBSD 10.0 issue with all versions, works OK on FreeBSD 9.3 and 10.1. FreeBSD 10.0 will go out of support in February anyway.

- httpd crash on every request when using Lua 5.2: Assuming Lua 5.2 is not supported fully for now (Github issue #814). I will just depend on Lua 5.1. This is not an urgent problem, as lua51/lua52 packages can coexist peacefully.




One small unfixed issue remains:

- Apache log module prefix: not fixed, note that it still says '[:notice]', but this is a small issue at worst. [Mon Dec 29 21:44:18.001193 2014] [:notice] [pid 56448] ModSecurity for Apache/2.9.0-RC2 (http://www.modsecurity.org/)
 configured.





I will try the RC2 on some internal systems over the next week (including some Debian), so it’s possible some other stuff will turn up, but it’s feeling very stable so far!




Thanks for the hard work and the fixes, and best wishes for 2015 :)




WH








On 16 Dec 2014, at 01:35, Felipe Costa <FC...@tr...> wrote:





I am proud to announce our second release candidate for version 2.9.0.


The 2.9.0-RC2 contains fixes and improvements.






The source and binaries (and the respective hashes) are available at:


https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc2






SHA256(modsecurity-2.9.0-RC2.tar.gz)= 62bfb04d459a8308bb6850102c9d8f0cca250207749ce5b9465344dda2419993


SHA256(ModSecurityIIS_2.9.0-RC2-32b.msi)= 364a55d2ff6981479694184eaec26404f294ac2131e8494ff478ae5e1aee33d6


SHA256(ModSecurityIIS_2.9.0-RC2-64b.msi)= c5c90fb5eae5d819f641989bcfb2b4230506fb4bb8065034ef0684b8694585dd








--
Walter Hop | PGP key: https://lifeforms.nl/pgp






________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] [mod-security-packagers] ModSecurity version 2.9.0-RC2 announcement

[Walter H. <mo...@sp...>]

I gave the RC2 some quality time. It looks very good so far!

Fixed issues I’ve had with -RC1:
- Failures in @pmFromFile, @ipMatchFromFile and SecRemoteRules: works OK now!
- @fuzzyHash rule doesn't fire: works OK now! This problem was likely due to bugs in the old ssdeep version (FreeBSD bug #195720). ssdeep was updated to 2.12 on Dec 13rd, so the timing is perfect.
- Persistent crashes in acmp_btree_find: seems to have been a FreeBSD 10.0 issue with all versions, works OK on FreeBSD 9.3 and 10.1. FreeBSD 10.0 will go out of support in February anyway.
- httpd crash on every request when using Lua 5.2: Assuming Lua 5.2 is not supported fully for now (Github issue #814). I will just depend on Lua 5.1. This is not an urgent problem, as lua51/lua52 packages can coexist peacefully.

One small unfixed issue remains:
- Apache log module prefix: not fixed, note that it still says '[:notice]', but this is a small issue at worst. [Mon Dec 29 21:44:18.001193 2014] [:notice] [pid 56448] ModSecurity for Apache/2.9.0-RC2 (http://www.modsecurity.org/) configured.

I will try the RC2 on some internal systems over the next week (including some Debian), so it’s possible some other stuff will turn up, but it’s feeling very stable so far!

Thanks for the hard work and the fixes, and best wishes for 2015 :)

WH


> On 16 Dec 2014, at 01:35, Felipe Costa <FC...@tr...> wrote:
> 
> I am proud to announce our second release candidate for version 2.9.0.
> The 2.9.0-RC2 contains fixes and improvements.
> 
> The source and binaries (and the respective hashes) are available at:
> https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc2 <https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc2>
> 
> SHA256(modsecurity-2.9.0-RC2.tar.gz)= 62bfb04d459a8308bb6850102c9d8f0cca250207749ce5b9465344dda2419993
> SHA256(ModSecurityIIS_2.9.0-RC2-32b.msi)= 364a55d2ff6981479694184eaec26404f294ac2131e8494ff478ae5e1aee33d6
> SHA256(ModSecurityIIS_2.9.0-RC2-64b.msi)= c5c90fb5eae5d819f641989bcfb2b4230506fb4bb8065034ef0684b8694585dd

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp

[Mod-security-developers] nginx 1.7.8 and 1.7.7 reverse proxy segfaults when backend returns 400, 500, 501 and 503

[Bruno de A. <br...@sa...>]

Hi All,

I've just started playing with nginx + modsec, so I thought I'd test
2.9.0-RC2 but it seems unusable in reverse proxy mode for nginx >= 1.7.7,
so I'm not sure the problem is with mod_sec or nginx. I will keep doing
some more tests with 1.7.6.


Affected mod_sec versions: 2.8.0, 2.9.0-RC1, 2.9.0-RC2 ( not tested earlier
versions)
Affected nginx versions: 1.7.7, 1.7.8.
Not affected nginx: 1.7.6 , 1.7.5, 1.7.4, 1.6.2 (not tested earlier
versions)

nginx compile options:

 CFLAGS="-g -O0" ./configure --with-debug
--add-module=../modsecurity-2.8.0/nginx/modsecurity/ --with-http_ssl_module
 --with-cc-opt="-I /usr/local/pcre/include"  --with-ld-opt="-L
/usr/local/pcre/lib"


mod_sec compile options:

./configure --enable-pcre-match-limit=100000
--enable-pcre-match-limit-recursion=100000 --with-apxs=/usr/bin/apxs
--with-apr=/usr/bin/apr-1-config --with-apu=/usr/bin/apu-1-config
--enable-pcre-study --enable-lua-cache --enable-standalone-module
--enable-pcre-jit --with-pcre=/usr/local/pcre


The setup is simple: client - > nginx + mod_sec -> apache backend (with
mod_security so I can force different error codes)

nginx vhost config:

server {

        listen   80;
        listen   443 ssl;
        server_name testing;
        root /var/www/nginx/testing;
        index index.html index.htm;

        ssl_certificate /usr/local/nginx/ssl/testing.crt;
        ssl_certificate_key /usr/local/nginx/ssl/testing.key;

        location / {
           ModSecurityEnabled on;
           ModSecurityConfig modsecurity.conf;

           proxy_set_header Host $host;
           proxy_pass http://172.16.0.10:80;
           proxy_read_timeout 20s;

        }
}


To replicate the issue, I configure the apache backend to thrown different
error codes with this rule:


SecRule REMOTE_ADDR "@ipMatch 1.1.1.1"
"phase:2,deny,status:500,t:none,id:'1',msg:'Testing'"


A simple curl request to http://testing then makes nginx segfault:

curl -k -v  -o /dev/null 'http://testing'
* Rebuilt URL to: http://testing/
* Hostname was NOT found in DNS cache
  % Total    % Received % Xferd  Average Speed   Time    Time     Time
 Current
                                 Dload  Upload   Total   Spent    Left
 Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--
  0*   Trying 10.9.0.89...
* Connected to testing (10.9.0.89) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: testing
> Accept: */*
>
* Empty reply from server
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--
  0
* Connection #0 to host testing left intact
curl: (52) Empty reply from server




2014/12/16 15:21:47 [debug] 11082#0: *1 http copy filter: "/?"
2014/12/16 15:21:47 [debug] 11082#0: *1 modSecurity: body filter
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers in:
"User-Agent: curl/7.35.0"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers in:
"Host: testing"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers in:
"Accept: */*"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers in done
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out:
"Last-Modified: Wed, 08 Oct 2014 11:52:10 GMT"
2014/12/16 15:21:47 [debug] 11082#0: *1 posix_memalign:
000000000238C4F0:4096 @16
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out:
"ETag: "2b49-504e7f224ae80""
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out:
"Accept-Ranges: bytes"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out:
"Vary: Accept-Encoding"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out:
"Content-Type: text/html"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out:
"Content-Length: 11081"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out:
"Last-Modified: Wed, 08 Oct 2014 11:52:10 GMT"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out:
"Connection: keep-alive"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: load headers out done
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: status 0
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: save headers in:
"User-Agent: curl/7.35.0"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: save headers in:
"Host: testing"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: save headers in:
"Accept: */*"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: save headers in done
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: save headers out:
"Last-Modified: Wed, 08 Oct 2014 11:52:10 GMT"
2014/12/16 15:21:47 [debug] 11082#0: *1 ModSecurity: save headers out:
"ETag: "2b49-504e7f224ae80""
Segmentation fault


Let me know if you need any more information


-- 
- Bruno

Re: [Mod-security-developers] 2.9.0-RC1 test results

[Walter H. <mo...@sp...>]

> The fixes are already on top of our master, there will be a -RC2 soon.

Awesome, thanks for the fixes. It’s a busy period but I will give the new RC some exercise at the beginning of next week.

I’ll also check ssdeep some more then. (I figured that maybe my problems getting a match might be related to SecChrootDir which I always use; so I’ll try again without it)

Again thanks for the nice work!
WH

Re: [Mod-security-developers] 2.9.0-RC1 test results

[Christian F. <chr...@ti...>]

Hi there,

On Mon, Dec 15, 2014 at 07:22:04PM +0000, Felipe Costa wrote:
> 1.a) Crash
> 
> Fixed. That was a consequence of mod_ssl utilization. Now we are doing the
> OpenSSL Initialization globally, instead of a initialization and cleanup
> for every request.

I got the impression the crash I reported might have been the same as
the one by Walter. Is that correct?

I can run another test tomorrow, if that matters.

Ahoj,

Christian


-- 
Human history becomes more and more a race between 
education and catastrophe.
--- H. G. Wells

[Mod-security-developers] ModSecurity version 2.9.0-RC2 announcement

[Felipe C. <FC...@tr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I am proud to announce our second release candidate for version 2.9.0.
The 2.9.0-RC2 contains fixes and improvements.

The source and binaries (and the respective hashes) are available at:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc2

SHA256(modsecurity-2.9.0-RC2.tar.gz)= 62bfb04d459a8308bb6850102c9d8f0cca250207749ce5b9465344dda2419993
SHA256(ModSecurityIIS_2.9.0-RC2-32b.msi)= 364a55d2ff6981479694184eaec26404f294ac2131e8494ff478ae5e1aee33d6
SHA256(ModSecurityIIS_2.9.0-RC2-64b.msi)= c5c90fb5eae5d819f641989bcfb2b4230506fb4bb8065034ef0684b8694585dd

We would like to thank you all that helped to test the release candidate one,
you guys did a great job. Thanks!

The most important changes are listed bellow:

Bug fixes and improvements
==========================

* OpenSSL dependency was removed on MS Windows builds. ModSecurity is now using
  Curl with WinSSL.
  [Gregg Smith, Steffen and ModSecurity team]
* ModSecurity now informs about external resources loaded/failed while
  reloading Apache.
  [ModSecurity team]
* Adds missing 'ModSecurity:' prefix in some warnings messages.
  [Walter Hop and ModSecurity team]
* External resources download is now more verbose. Holding the message to be
  displayed when Apache is ready to write on the error_log.
  [ModSecurity team]
* Remote resources loading process is now failing in case of HTTP error.
  [Walter Hop and ModSecurity team]
* Fixed start up crash on Apache with mod_ssl configured. Crash was happening
  during the download of remote resources.
  [Christian Folini, Walter Hop and ModSecurity team]
* Curl is not a mandatory dependency to ModSecurity core anymore.
  [Rainer Jung and ModSecurity team]


Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/> <http://www.trustwave.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: GPGTools - https://gpgtools.org<https://gpgtools.org/>

iEYEARECAAYFAlSPfQEACgkQ5t+wjOixEndhywCfeGQf+U7AyV4l/aqfD4cPRjg8
GiQAn186SW3FqpHo4BUxC+mdVkWY7eNk
=59mJ
-----END PGP SIGNATURE-----

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] ModSecurity version 2.9.0-RC1 released

[Felipe C. <FC...@tr...>]

Hi Rainer,

Thanks for your feedback.

Curl is no longer mandatory on our master tree.

We have created `#ifdefs' with three different definitions:

- WITH_CURL: Enables the download of remote resources (including
  remote rules).
- WITH_REMOTE_RULES: Enables the SecRemoteRules directive, notice
  that it depends on WITH_CURL.
- WITH_CRYPTO: Support for encryption on SecRemoteRules directive
  (Needs apr/apu compiled with crypto support).

All those variables should be automatically set by autotools, making
our build to work even without Curl. Of course, if you don't have
Curl(-dev) during the build time, the "remote resources" will not be
available.



Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>



On 11/18/14 7:00 PM, "Rainer Jung" <rai...@ki...> wrote:

>Addition: you should also move the line
>
>#ifdef WITH_REMOTE_RULES_SUPPORT
>
>in msc_remote_rules.c higher up in the file. Currently it would still
>include (and need) all header files and only then the if block would
>disable all code. But the curl.h might not be there, so include and
>compilation fails. Moving of the if line directly after
>
>#include "msc_remote_rules.h"
>
>fixes this.
>
>Then there are two more curl dependencies:
>
>- in apache2/re_operators.c in function msre_op_pmFromFile_param_init if
>the file name for pmFromFile is an https URL
>
>- in apache2/msc_util.c in function ip_tree_from_uri if the file name
>for ipmatchFromFile is an https URL
>
>IMHO both features should be disabled (replaced by an error message
>during runtime) if curl is not found.
>
>Thanks and regards,
>
>Rainer
>
>Am 18.11.2014 um 22:29 schrieb Rainer Jung:
>> Thanks for producing the RC and sharing.
>>
>> Building it without curl support we get the expected
>>
>> NOTE: curl library is only required for building mlogc
>>
>> output from the configure script, but then the build fails because of
>> the new remote rules support. File msc_remote_rules.h unconditionally
>> needs curl/curl.h.
>>
>> I'd say curl is a bit huge and the remote rule support not in the main
>> stream use, so having the curl dependency only as an option currently
>> would be good.
>>
>> To not introduce a new mandatory dependency, you should define
>> WITH_REMOTE_RULES_SUPPORT only if curl was found by configure.
>>
>> Regards,
>>
>> Rainer
>>
>> Am 18.11.2014 um 14:34 schrieb Felipe Costa:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Hi,
>>>
>>> I am proud to announce our first release candidate for version 2.9.0.
>>> The 2.9.0-RC1 contains fixes and new features.
>>>
>>> The documentation is available in our wikipage:
>>>
>>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55
>>>vD_zHetZzA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2
>>>fwiki%2fReference-Manual
>>>
>>> The source and binaries (and the respective hashes) are available at:
>>>
>>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55
>>>vDb2G-8MkA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2
>>>freleases%2ftag%2fv2%2e9%2e0-rc1
>>>
>>> SHA256(modsecurity-2.9.0-RC1.tar.gz)=
>>> 1a061e09bc7e3218a80bc2004b7e87c8f3a382323b09633e060c16bea5e23098
>>> SHA256(ModSecurityIIS_2.9.0-RC1-32b.msi)=
>>> 68cd286612ca7026442ec3c409f33a2eaca428d9bb7a297d23a19043f5c31360
>>> SHA256(ModSecurityIIS_2.9.0-RC1-64b.msi)=
>>> 948ffeda98684c569c22da95d600aca7998f20a85c9345a56086e1a85c1d8ab7
>>>
>>> We would like to thank you all that helped out making this release:
>>> comments,
>>> bug reports, and pull requests.
>>>
>>> The most important changes are listed bellow:
>>>
>>> New features
>>> ============
>>>
>>> * `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS
>>> served
>>>     files as parameter.
>>> * `SecRemoteRules' directive - allows you to specify a HTTPS served
>>> file that
>>>    may contain rules in the SecRule format to be loaded into your
>>> ModSecurity
>>>    instance.
>>> * `SecRemoteRulesFailAction' directive - allows you to control
>>> whenever the
>>>    user wants to Abort or just Warn when there is a problem while
>>> downloading
>>>    rules specified with the directive: `SecRemoteRules'.
>>> * `fuzzyHash' operator - allows to match contents using fuzzy hashes.
>>> * `FILES_TMP_CONTENT' collection - make available the content of
>>>uploaded
>>>    files.
>>> * InsecureNoCheckCert - option to validate or not a chain of SSL
>>> certificates
>>>    on mlogc connections.
>>>
>>>
>>> Bug fixes
>>> =========
>>>
>>> * ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1.
>>>    [Issue #676 - Kris Kater and ModSecurity team]
>>> * Fixed signature on "status call": ModSecurity is now using the
>>>original
>>>    server signature.
>>>    [Issues #702 - Linas and ModSecurity team]
>>> * YAJL version is printed while ModSecurity initialization.
>>>    [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda]
>>> * Fixed subnet representation using slash notation on the @ipMatch
>>> operator.
>>>    [Issue #706 - Walter Hop and ModSecurity team]
>>> * Limited the length of a status call.
>>>    [Issue #714 - 'cpanelkurt' and ModSecurity team]
>>> * Added the missing -P option to nginx regression tests.
>>>    [Issue #720 - Paul Yang]
>>> * Fixed automake scripts to do not use features which will be
>>> deprecated in the
>>>    upcoming releases of automake.
>>>    [Issue #760 - ModSecurity team]
>>> * apr-utils's LDFALGS is now considered while building ModSecurity.
>>>    [Issue #782 - Daniel J. Luke]
>>> * IIS installer is not considering IIS 6 as compatible anymore.
>>>    [Issue #790 - ModSecurity team]
>>> * Fixed yajl build script: now looking for the correct header file.
>>>    [Issue #804 - 'rpfilomeno' and ModSecurity team]
>>> * mlgoc is now forced to use TLS 1.x.
>>>    [Issue #806 - Josh Amishav-Zlatin and ModSecurity team]
>>>
>>>
>>> Br.,
>>> Felipe "Zimmerle" Costa
>>> Security Researcher, SpiderLabs
>>>
>>> Trustwave | SMART SECURITY ON DEMAND
>>> www.trustwave.com <http://www.trustwave.com/>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1
>>> Comment: GPGTools -
>>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55
>>>vDb2R7gImQ&s=5&u=https%3a%2f%2fgpgtools%2eorg
>>>
>>> iEYEARECAAYFAlRrRO0ACgkQ5t+wjOixEneDsQCfdQO7tsVdlBJB4bKQkRFzvpP+
>>> m8EAn2ToUijuHIKpOm9yWdcwsuZ5yBW+
>>> =80Ng
>>> -----END PGP SIGNATURE-----
>>>
>>> ________________________________
>>>
>>> This transmission may contain information that is privileged,
>>> confidential, and/or exempt from disclosure under applicable law. If
>>> you are not the intended recipient, you are hereby notified that any
>>> disclosure, copying, distribution, or use of the information contained
>>> herein (including any reliance thereon) is strictly prohibited. If you
>>> received this transmission in error, please immediately contact the
>>> sender and destroy the material in its entirety, whether in electronic
>>> or hard copy format.
>>>
>>>
>>>------------------------------------------------------------------------
>>>------
>>>
>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> from Actuate! Instantly Supercharge Your Business Reports and
>>>Dashboards
>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>>>more
>>> Get technology previously reserved for billion-dollar corporations,
>>>FREE
>>>
>>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55
>>>vDSlR7kAyA&s=5&u=http%3a%2f%2fpubads%2eg%2edoubleclick%2enet%2fgampad%2f
>>>clk%3fid%3d157005751%26iu%3d%2f4140%2fostg%2eclktrk
>>>
>>> _______________________________________________
>>> mod-security-developers mailing list
>>> mod...@li...
>>>
>>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55
>>>vDahR74PzA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flisti
>>>nfo%2fmod-security-developers
>>> ModSecurity Services from Trustwave's SpiderLabs:
>>> https://www.trustwave.com/spiderLabs.php
>
>--------------------------------------------------------------------------
>----
>Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>with Interactivity, Sharing, Native Excel Exports, App Integration & more
>Get technology previously reserved for billion-dollar corporations, FREE
>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55vD
>SlR7kAyA&s=5&u=http%3a%2f%2fpubads%2eg%2edoubleclick%2enet%2fgampad%2fclk%
>3fid%3d157005751%26iu%3d%2f4140%2fostg%2eclktrk
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55vD
>ahR74PzA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%
>2fmod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] 2.9.0-RC1 test results

[Felipe C. <FC...@tr...>]

Hi Walter,

Comments below...

>

> Okay, on to the problems I've found. All tests were on FreeBSD 10.0-p12
> with stack smashing protection, amd64, Apache 2.4.10 prefork, OpenSSL
> 1.0.1j, clang 3.3.
>
>

> 1) High prio: Remote resources fail with segfaults and other problems in
> @pmFromFile, @ipMatchFromFile and SecRemoteRules.
>

> https://gist.github.com/lifeforms/102f66246de8bd33a2ca
>

1.a) Crash

Fixed. That was a consequence of mod_ssl utilization. Now we are doing the
OpenSSL Initialization globally, instead of a initialization and cleanup
for every request.

1.b) Nonexisting files

Fixed. Now the HTTP error code is being taken into consideration.

>
> 2) High prio: Undiagnosed persistent crash.
>
> https://gist.github.com/lifeforms/4356643edfe8f39c2991
>

After upgrade the box, Walter was not able to reproduce the problem.

>
> 3) Medium prio: httpd crash on every request when using Lua 5.2. Working
> fine with Lua 5.1.
>
>
> https://gist.github.com/lifeforms/3ecc60c67012a053d060

>

That is something that also happens with oldest versions of ModSecurity. We
have an issue opened regarding that
(https://github.com/SpiderLabs/ModSecurity/issues/762), actually it is more
about make the installer smart enough to check the Lua versions, however, I
believe that we have to support the newest version as well, thus, I have
just
opened this new issue: https://github.com/SpiderLabs/ModSecurity/issues/814

>
> 4) Low prio: Apache log messages not prefixed with name. (Also present
>in earlier version)
>
> https://gist.github.com/lifeforms/4b41ae6464073ced39f5
>


"ModSecurity:" prefix was added.

>
> Since I don't know if it's a useful workflow to create github issues,
>I¹ve put the long
> descriptions in gists for now, but of course I can submit them wherever
>you like.
>

That was just fine.

Thank you again for your work. Very valuable report.

The fixes are already on top of our master, there will be a -RC2 soon.

Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>





________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] 2.9.0-RC1 test results

[Felipe C. <FC...@tr...>]

Hi Walter,

Thank you again to let as know.

As this specific part of the code was not being updated for a while, that was my suspicion.

By looking at the GDB output that you have provided, I identified the reason of the segfault. 2.9.0[-RC2|] will not segfault because of that. Anyhow, we still have a problem as we have understand what circumstances are leading us to that NULL pointer.

I was not able to reproduce the problem, so I am sending to your email a GDB script that will avoid the crash in your server and take a snapshot of important pieces of the memory that may be useful to understand what is going on. This snapshot may contains sensitive information of your server, double check before send it back.

It will be very helpful if you can test that in your server.

Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>



________________________________
From: Walter Hop [mo...@sp...]
Sent: Thursday, December 04, 2014 3:01 PM
To: mod...@li...
Subject: Re: [Mod-security-developers] 2.9.0-RC1 test results

An update about this crash. Last week, I got very similar repeated segfaults on three boxes running ModSecurity 2.7.7! Of course I don’t have debug builds running everywhere, but it seemed to be in the same function.

Interestingly, more out of luck than anything else, two of these boxes were slated for upgrading to FreeBSD 10.1, and I noticed the segfaults completely went away on them for a week (knock on wood) while I was having them almost daily.

So I am now thinking this is *not* a regression in 2.9.0.

My working theory now is, either the interaction of some library update (pcre? libxml2?) with the FreeBSD 10.0 (clang?) runtime leads to memory corruption.


2) High prio: Undiagnosed persistent crash. https://gist.github.com/lifeforms/4356643edfe8f39c2991<http://scanmail.trustwave.com/?c=4062&d=opOA1B1Ql0cbsNHR1AF9Pmo8cR78lITwOVPqKoj65g&s=5&u=https%3a%2f%2fgist%2egithub%2ecom%2flifeforms%2f4356643edfe8f39c2991>

Got the same crash on a second test box today.
I have updated the gist with information from a debug build: https://gist.github.com/lifeforms/4356643edfe8f39c2991<http://scanmail.trustwave.com/?c=4062&d=opOA1B1Ql0cbsNHR1AF9Pmo8cR78lITwOVPqKoj65g&s=5&u=https%3a%2f%2fgist%2egithub%2ecom%2flifeforms%2f4356643edfe8f39c2991>

This crash appears to be serious. I don’t think I’ve ever seen ModSecurity segfault while parsing a request before. Since it starts happening on a random moment of the day, I’m a bit concerned this might be a remote DoS vuln, so I’m reverting to 2.7.7 on the public boxes.

I have kept some core files, but it’s been a long time since I worked with gdb so let me know if I should extract more info out of them.

Is there a way to enable asserts in the code so we can find out why/when node is unset?


--
Walter Hop | PGP key: https://lifeforms.nl/pgp<http://scanmail.trustwave.com/?c=4062&d=opOA1B1Ql0cbsNHR1AF9Pmo8cR78lITwOVO7K92tsg&s=5&u=https%3a%2f%2flifeforms%2enl%2fpgp>


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] 2.9.0-RC1 test results

[Walter H. <mo...@sp...>]

An update about this crash. Last week, I got very similar repeated segfaults on three boxes running ModSecurity 2.7.7! Of course I don’t have debug builds running everywhere, but it seemed to be in the same function.

Interestingly, more out of luck than anything else, two of these boxes were slated for upgrading to FreeBSD 10.1, and I noticed the segfaults completely went away on them for a week (knock on wood) while I was having them almost daily.

So I am now thinking this is *not* a regression in 2.9.0.

My working theory now is, either the interaction of some library update (pcre? libxml2?) with the FreeBSD 10.0 (clang?) runtime leads to memory corruption.


> 2) High prio: Undiagnosed persistent crash. https://gist.github.com/lifeforms/4356643edfe8f39c2991 <https://gist.github.com/lifeforms/4356643edfe8f39c2991>
> 
> Got the same crash on a second test box today.
> I have updated the gist with information from a debug build: https://gist.github.com/lifeforms/4356643edfe8f39c2991 <https://gist.github.com/lifeforms/4356643edfe8f39c2991>
> 
> This crash appears to be serious. I don’t think I’ve ever seen ModSecurity segfault while parsing a request before. Since it starts happening on a random moment of the day, I’m a bit concerned this might be a remote DoS vuln, so I’m reverting to 2.7.7 on the public boxes.
> 
> I have kept some core files, but it’s been a long time since I worked with gdb so let me know if I should extract more info out of them.
> 
> Is there a way to enable asserts in the code so we can find out why/when node is unset?


-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp

Re: [Mod-security-developers] 2.9.0-RC1 test results

[Ryan B. <RBa...@tr...>]

Walter,
Please see this blog post I did about using @fuzzyHash operator -
http://blog.spiderlabs.com/2014/11/modsecurity-advanced-topic-of-the-week-detecting-malware-with-fuzzy-hashing.html

Hopefully this will help with some testing.

Ryan Barnett
Senior Lead Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

From: Walter Hop <mo...@sp...<mailto:mo...@sp...>>
Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Date: Tuesday, November 25, 2014 5:43 PM
To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Subject: Re: [Mod-security-developers] 2.9.0-RC1 test results

2) High prio: Undiagnosed persistent crash. https://gist.github.com/lifeforms/4356643edfe8f39c2991<http://scanmail.trustwave.com/?c=4062&d=mYb11GfxNXS5cIjJ4hTdkjqKeLDfsoZGAe3WPGO1uw&s=5&u=https%3a%2f%2fgist%2egithub%2ecom%2flifeforms%2f4356643edfe8f39c2991>

Got the same crash on a second test box today.
I have updated the gist with information from a debug build: https://gist.github.com/lifeforms/4356643edfe8f39c2991<http://scanmail.trustwave.com/?c=4062&d=mYb11GfxNXS5cIjJ4hTdkjqKeLDfsoZGAe3WPGO1uw&s=5&u=https%3a%2f%2fgist%2egithub%2ecom%2flifeforms%2f4356643edfe8f39c2991>

This crash appears to be serious. I don’t think I’ve ever seen ModSecurity segfault while parsing a request before. Since it starts happening on a random moment of the day, I’m a bit concerned this might be a remote DoS vuln, so I’m reverting to 2.7.7 on the public boxes.

I have kept some core files, but it’s been a long time since I worked with gdb so let me know if I should extract more info out of them.

Is there a way to enable asserts in the code so we can find out why/when node is unset?

5) I have tested @fuzzyHash and could not get it to work. My experiences are in this gist: https://gist.github.com/lifeforms/660e995254aba740856e<http://scanmail.trustwave.com/?c=4062&d=mYb11GfxNXS5cIjJ4hTdkjqKeLDfsoZGAbnQODC06A&s=5&u=https%3a%2f%2fgist%2egithub%2ecom%2flifeforms%2f660e995254aba740856e>

Sorry I couldn’t bring more positive news!

Cheers,
WH

--
Walter Hop | PGP key: https://lifeforms.nl/pgp<http://scanmail.trustwave.com/?c=4062&d=mYb11GfxNXS5cIjJ4hTdkjqKeLDfsoZGAe2HPTbi7w&s=5&u=https%3a%2f%2flifeforms%2enl%2fpgp>


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] 2.9.0-RC1 test results

[Walter H. <mo...@sp...>]

> 2) High prio: Undiagnosed persistent crash. https://gist.github.com/lifeforms/4356643edfe8f39c2991 <https://gist.github.com/lifeforms/4356643edfe8f39c2991>

Got the same crash on a second test box today.
I have updated the gist with information from a debug build: https://gist.github.com/lifeforms/4356643edfe8f39c2991 <https://gist.github.com/lifeforms/4356643edfe8f39c2991>

This crash appears to be serious. I don’t think I’ve ever seen ModSecurity segfault while parsing a request before. Since it starts happening on a random moment of the day, I’m a bit concerned this might be a remote DoS vuln, so I’m reverting to 2.7.7 on the public boxes.

I have kept some core files, but it’s been a long time since I worked with gdb so let me know if I should extract more info out of them.

Is there a way to enable asserts in the code so we can find out why/when node is unset?

5) I have tested @fuzzyHash and could not get it to work. My experiences are in this gist: https://gist.github.com/lifeforms/660e995254aba740856e <https://gist.github.com/lifeforms/660e995254aba740856e>

Sorry I couldn’t bring more positive news!

Cheers,
WH

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp

[Mod-security-developers] 2.9.0-RC1 test results

[Walter H. <mo...@sp...>]

Hi Felipe and others,

Thanks again for the hard work on the release.
Here are my preliminary experiences with 2.9.0-RC1 on FreeBSD.

My overall impression is the normal ModSecurity features and earlier ones introduced in 2.8.0 seem mostly stable, with one weird exception. The remote resources didn't work for me at all.

I've updated the FreeBSD port to pull in yajl, curl (ModSec would not load without), lua51 (see below), and optionally ssdeep. I have to read about fuzzy hashing before testing it, but it builds and the syntax seems to be accepted.

Okay, on to the problems I've found. All tests were on FreeBSD 10.0-p12 with stack smashing protection, amd64, Apache 2.4.10 prefork, OpenSSL 1.0.1j, clang 3.3.

1) High prio: Remote resources fail with segfaults and other problems in @pmFromFile, @ipMatchFromFile and SecRemoteRules. https://gist.github.com/lifeforms/102f66246de8bd33a2ca

2) High prio: Undiagnosed persistent crash. https://gist.github.com/lifeforms/4356643edfe8f39c2991

3) Medium prio: httpd crash on every request when using Lua 5.2. Working fine with Lua 5.1. https://gist.github.com/lifeforms/3ecc60c67012a053d060

4) Low prio: Apache log messages not prefixed with name. (Also present in earlier version) https://gist.github.com/lifeforms/4b41ae6464073ced39f5

Since I don't know if it's a useful workflow to create github issues, I’ve put the long descriptions in gists for now, but of course I can submit them wherever you like.

If I can submit more info, let me know. Except for issue 2) it’s easy to reproduce.

Thanks!
WH

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp

Re: [Mod-security-developers] ModSecurity version 2.9.0-RC1 released

[Felipe C. <FC...@tr...>]

Hi Christian,

Thank you for the detailed report on the failure and also for testing the
release candidate.

The details that you have provided seems to be a good starting point for
me to
start to investigate this issue. I will let you know if the core dump file
will be necessary.


Br.,

Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>




From:  Christian Folini <chr...@ti...>
Reply-To:  "mod...@li..."
<mod...@li...>
Date:  Wednesday, November 19, 2014 11:21 AM
To:  "mod...@li..."
<mod...@li...>
Subject:  Re: [Mod-security-developers] ModSecurity version 2.9.0-RC1
released


Thanks for the release candidate.

It has built successfully on ubuntu 04.14 on apache 2.4.10 and I can
confirm that the fix for the bug in the 2.8.0 ipMatch directive works fine.

However, I encountered a segfault during init when using the new remote
URI feature in ipMatchFromFile.

Fetching the files works fine, but enabling the ssl engine _afterwards_ in
a VH leads to the segfault:

gdb output:
        ssl_init_ctx_protocol (s=0x75efd8, p=0x6a7138, ptemp=0x6d6368,
mctx=0x7243b0) at ssl_engine_init.c:481
        481        ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
        (gdb) n
        484        if (protocol == SSL_PROTOCOL_SSLV3) {
        (gdb) n
        489        else if (protocol == SSL_PROTOCOL_TLSV1) {
        (gdb) n
        495        else if (protocol == SSL_PROTOCOL_TLSV1_1) {
        (gdb) n
        500        else if (protocol == SSL_PROTOCOL_TLSV1_2) {
        (gdb) n
        507            method = mctx->pkp ?
        (gdb) n
        508                SSLv23_client_method() : /* proxy */
        (gdb) n
        507            method = mctx->pkp ?
        (gdb) n
        511        ctx = SSL_CTX_new(method);
        (gdb) n
        513        mctx->ssl_ctx = ctx;
        (gdb) n
        515        SSL_CTX_set_options(ctx, SSL_OP_ALL);
        (gdb) s
        Program received signal SIGSEGV, Segmentation fault.
        0x00007ffff5641adb in SSL_CTX_ctrl () from
/lib/x86_64-linux-gnu/libssl.so.1.0.0

Apache Compilation:
$> CFLAGS="-Og -g -ggdb3"; export CFLAGS
$> ./configure --prefix=/apache --with-included-apr --enable-modules=most
--enable-mods-shared=all --enable-mime-magic --enable-unique-id
--enable-logio --enable-ssl --enable-proxy --enable-proxy-http
--enable-deflate --enable-mpms-shared=event worker prefork
 --enable-nonportable-atomics=yes

ModSec Compilation:
$> CFLAGS="-Og -g -ggdb3"; export CFLAGS
$> ./configure --with-apxs=/apache/bin/apxs
--with-apu=/apache/bin/apu-1-config --with-apr=/apache/bin/apr-1-config
--with-pcre=/usr/bin/pcre-config

Minimal apache configuration producing the error:
    ServerName      localhost
    ServerAdmin     root@localhost
    ServerRoot      /apache
    PidFile        /tmp/httpd.pid

    Listen          127.0.0.1:443

    LoadModule    mpm_event_module    modules/mod_mpm_event.so
    LoadModule    unixd_module        modules/mod_unixd.so
    LoadModule    ssl_module        modules/mod_ssl.so
    LoadModule      unique_id_module       modules/mod_unique_id.so
    LoadModule      security2_module       modules/mod_security2.so

    SecRule REMOTE_ADDR "@ipMatchFromFile
https://blacklistserver.example.com/ip-blacklist.txt
<http://scanmail.trustwave.com/?c=4062&d=sqfs1I9cPYBDMuH_bTqzApeucY7c2QMsI_
hmE7t92g&s=5&u=https%3a%2f%2fblacklistserver%2eexample%2ecom%2fip-blacklist
%2etxt>"    "id:10500,pass"

    <VirtualHost *:443>
          ServerName localhost
          SSLEngine On
    </VirtualHost>


Unfortunately, I have not compiled /lib/x86_64-linux-gnu/libssl.so.1.0.0
myself, so I guess that's why I can not
dig into that library with gdb.

I have a core-file if that is needed.

Best,

Christian Folini




________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] ModSecurity version 2.9.0-RC1 released

[Felipe C. <FC...@tr...>]

Hi Rainer,

Thank you for test the release candidate.

You are right. There is no need to force our users to have Curl
installed.

Curl dependecy will be mandatory only to the functionalities:
SecRemoteRules,
"remote resources", and mlogc. If Curl is not found in the system those
functionalities will be disabled.

I will make the necessary modifications.


Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>






On 11/18/14 7:00 PM, "Rainer Jung" <rai...@ki...> wrote:

>Addition: you should also move the line
>
>#ifdef WITH_REMOTE_RULES_SUPPORT
>
>in msc_remote_rules.c higher up in the file. Currently it would still
>include (and need) all header files and only then the if block would
>disable all code. But the curl.h might not be there, so include and
>compilation fails. Moving of the if line directly after
>
>#include "msc_remote_rules.h"
>
>fixes this.
>
>Then there are two more curl dependencies:
>
>- in apache2/re_operators.c in function msre_op_pmFromFile_param_init if
>the file name for pmFromFile is an https URL
>
>- in apache2/msc_util.c in function ip_tree_from_uri if the file name
>for ipmatchFromFile is an https URL
>
>IMHO both features should be disabled (replaced by an error message
>during runtime) if curl is not found.
>
>Thanks and regards,
>
>Rainer
>
>Am 18.11.2014 um 22:29 schrieb Rainer Jung:
>> Thanks for producing the RC and sharing.
>>
>> Building it without curl support we get the expected
>>
>> NOTE: curl library is only required for building mlogc
>>
>> output from the configure script, but then the build fails because of
>> the new remote rules support. File msc_remote_rules.h unconditionally
>> needs curl/curl.h.
>>
>> I'd say curl is a bit huge and the remote rule support not in the main
>> stream use, so having the curl dependency only as an option currently
>> would be good.
>>
>> To not introduce a new mandatory dependency, you should define
>> WITH_REMOTE_RULES_SUPPORT only if curl was found by configure.
>>
>> Regards,
>>
>> Rainer
>>
>> Am 18.11.2014 um 14:34 schrieb Felipe Costa:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Hi,
>>>
>>> I am proud to announce our first release candidate for version 2.9.0.
>>> The 2.9.0-RC1 contains fixes and new features.
>>>
>>> The documentation is available in our wikipage:
>>>
>>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55
>>>vD_zHetZzA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2
>>>fwiki%2fReference-Manual
>>>
>>> The source and binaries (and the respective hashes) are available at:
>>>
>>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55
>>>vDb2G-8MkA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2
>>>freleases%2ftag%2fv2%2e9%2e0-rc1
>>>
>>> SHA256(modsecurity-2.9.0-RC1.tar.gz)=
>>> 1a061e09bc7e3218a80bc2004b7e87c8f3a382323b09633e060c16bea5e23098
>>> SHA256(ModSecurityIIS_2.9.0-RC1-32b.msi)=
>>> 68cd286612ca7026442ec3c409f33a2eaca428d9bb7a297d23a19043f5c31360
>>> SHA256(ModSecurityIIS_2.9.0-RC1-64b.msi)=
>>> 948ffeda98684c569c22da95d600aca7998f20a85c9345a56086e1a85c1d8ab7
>>>
>>> We would like to thank you all that helped out making this release:
>>> comments,
>>> bug reports, and pull requests.
>>>
>>> The most important changes are listed bellow:
>>>
>>> New features
>>> ============
>>>
>>> * `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS
>>> served
>>>     files as parameter.
>>> * `SecRemoteRules' directive - allows you to specify a HTTPS served
>>> file that
>>>    may contain rules in the SecRule format to be loaded into your
>>> ModSecurity
>>>    instance.
>>> * `SecRemoteRulesFailAction' directive - allows you to control
>>> whenever the
>>>    user wants to Abort or just Warn when there is a problem while
>>> downloading
>>>    rules specified with the directive: `SecRemoteRules'.
>>> * `fuzzyHash' operator - allows to match contents using fuzzy hashes.
>>> * `FILES_TMP_CONTENT' collection - make available the content of
>>>uploaded
>>>    files.
>>> * InsecureNoCheckCert - option to validate or not a chain of SSL
>>> certificates
>>>    on mlogc connections.
>>>
>>>
>>> Bug fixes
>>> =========
>>>
>>> * ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1.
>>>    [Issue #676 - Kris Kater and ModSecurity team]
>>> * Fixed signature on "status call": ModSecurity is now using the
>>>original
>>>    server signature.
>>>    [Issues #702 - Linas and ModSecurity team]
>>> * YAJL version is printed while ModSecurity initialization.
>>>    [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda]
>>> * Fixed subnet representation using slash notation on the @ipMatch
>>> operator.
>>>    [Issue #706 - Walter Hop and ModSecurity team]
>>> * Limited the length of a status call.
>>>    [Issue #714 - 'cpanelkurt' and ModSecurity team]
>>> * Added the missing -P option to nginx regression tests.
>>>    [Issue #720 - Paul Yang]
>>> * Fixed automake scripts to do not use features which will be
>>> deprecated in the
>>>    upcoming releases of automake.
>>>    [Issue #760 - ModSecurity team]
>>> * apr-utils's LDFALGS is now considered while building ModSecurity.
>>>    [Issue #782 - Daniel J. Luke]
>>> * IIS installer is not considering IIS 6 as compatible anymore.
>>>    [Issue #790 - ModSecurity team]
>>> * Fixed yajl build script: now looking for the correct header file.
>>>    [Issue #804 - 'rpfilomeno' and ModSecurity team]
>>> * mlgoc is now forced to use TLS 1.x.
>>>    [Issue #806 - Josh Amishav-Zlatin and ModSecurity team]
>>>
>>>
>>> Br.,
>>> Felipe "Zimmerle" Costa
>>> Security Researcher, SpiderLabs
>>>
>>> Trustwave | SMART SECURITY ON DEMAND
>>> www.trustwave.com <http://www.trustwave.com/>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1
>>> Comment: GPGTools -
>>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55
>>>vDb2R7gImQ&s=5&u=https%3a%2f%2fgpgtools%2eorg
>>>
>>> iEYEARECAAYFAlRrRO0ACgkQ5t+wjOixEneDsQCfdQO7tsVdlBJB4bKQkRFzvpP+
>>> m8EAn2ToUijuHIKpOm9yWdcwsuZ5yBW+
>>> =80Ng
>>> -----END PGP SIGNATURE-----
>>>
>>> ________________________________
>>>
>>> This transmission may contain information that is privileged,
>>> confidential, and/or exempt from disclosure under applicable law. If
>>> you are not the intended recipient, you are hereby notified that any
>>> disclosure, copying, distribution, or use of the information contained
>>> herein (including any reliance thereon) is strictly prohibited. If you
>>> received this transmission in error, please immediately contact the
>>> sender and destroy the material in its entirety, whether in electronic
>>> or hard copy format.
>>>
>>>
>>>------------------------------------------------------------------------
>>>------
>>>
>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> from Actuate! Instantly Supercharge Your Business Reports and
>>>Dashboards
>>> with Interactivity, Sharing, Native Excel Exports, App Integration &
>>>more
>>> Get technology previously reserved for billion-dollar corporations,
>>>FREE
>>>
>>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55
>>>vDSlR7kAyA&s=5&u=http%3a%2f%2fpubads%2eg%2edoubleclick%2enet%2fgampad%2f
>>>clk%3fid%3d157005751%26iu%3d%2f4140%2fostg%2eclktrk
>>>
>>> _______________________________________________
>>> mod-security-developers mailing list
>>> mod...@li...
>>>
>>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55
>>>vDahR74PzA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flisti
>>>nfo%2fmod-security-developers
>>> ModSecurity Services from Trustwave's SpiderLabs:
>>> https://www.trustwave.com/spiderLabs.php
>
>--------------------------------------------------------------------------
>----
>Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>with Interactivity, Sharing, Native Excel Exports, App Integration & more
>Get technology previously reserved for billion-dollar corporations, FREE
>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55vD
>SlR7kAyA&s=5&u=http%3a%2f%2fpubads%2eg%2edoubleclick%2enet%2fgampad%2fclk%
>3fid%3d157005751%26iu%3d%2f4140%2fostg%2eclktrk
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55vD
>ahR74PzA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%
>2fmod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] [mod-security-packagers] ModSecurity version 2.9.0-RC1 released

[Felipe C. <FC...@tr...>]

Hi Walter,

Thanks for the package and thanks for test.
Your feedback is very important.

Comments bellow.

>
> From:  Walter Hop <mo...@sp...>
> Date:  Terça-feira, novembro 18, 2014 18:29
>
>2.9.0-RC1 built without problems on FreeBSD 10.x (well, some clang
>warnings if
>anybody¹s interested) and it passes Œmake test¹ and our internal
>regression
>test, however I have problems running run-regression-tests.pl
><http://scanmail.trustwave.com/?c=4062&d=sLrr1PDx6RxJZUGpkDISQKKOx2vXScoRl
>-mWI6bBWA&s=5&u=http%3a%2f%2frun-regression-tests%2epl>
>(which was also the case in last version).
>

Yes, we want to reduce the number of warnings to "0". We have an issue on
GitHub
to track our progress:
https://github.com/SpiderLabs/ModSecurity/issues/631

The issue has a reference to a Google Spreadsheet that contains some
numbers. As you can see I need to update those values.

What kind of problems did you faced while running
`run-regression-tests.pl'?

I know that `run-regression-tests.pl' is current very limited, it may not
adapt
well on different Apache compilations options. If I recall correctly I had
installed Apache with +mpm (or similar) on our FreeBSDs buildbots.

The logs of ModSecurity buildbots are available here:
FreeBSD 9:
 -
http://www.modsecurity.org/developers/buildbot/builders/freebsd9%20-%20Apac
he/builds/39/steps/regression%20test/logs/stdio
FreeBSD 10:
 -
http://www.modsecurity.org/developers/buildbot/builders/freebsd10%20-%20Apa
che/builds/39/steps/regression%20test/logs/stdio

>
>If there are FreeBSD users on the lists, I would invite you to try the
>preliminary 2.9.0.r1 version of the FreeBSD port. It would be especially
>interesting if you are running ARM/sparc.
>

We don't have a sparc yet on our BuildBots I wish to have one in a near
future.

Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>




________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] ModSecurity version 2.9.0-RC1 released

[Christian F. <chr...@ti...>]

Thanks for the release candidate.

It has built successfully on ubuntu 04.14 on apache 2.4.10 and I can confirm that the fix for the bug in the 2.8.0 ipMatch directive works fine.

However, I encountered a segfault during init when using the new remote URI feature in ipMatchFromFile.

Fetching the files works fine, but enabling the ssl engine _afterwards_ in a VH leads to the segfault:

gdb output:
        ssl_init_ctx_protocol (s=0x75efd8, p=0x6a7138, ptemp=0x6d6368, mctx=0x7243b0) at ssl_engine_init.c:481
        481        ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
        (gdb) n
        484        if (protocol == SSL_PROTOCOL_SSLV3) {
        (gdb) n
        489        else if (protocol == SSL_PROTOCOL_TLSV1) {
        (gdb) n
        495        else if (protocol == SSL_PROTOCOL_TLSV1_1) {
        (gdb) n
        500        else if (protocol == SSL_PROTOCOL_TLSV1_2) {
        (gdb) n
        507            method = mctx->pkp ?
        (gdb) n
        508                SSLv23_client_method() : /* proxy */
        (gdb) n
        507            method = mctx->pkp ?
        (gdb) n
        511        ctx = SSL_CTX_new(method);
        (gdb) n
        513        mctx->ssl_ctx = ctx;
        (gdb) n
        515        SSL_CTX_set_options(ctx, SSL_OP_ALL);
        (gdb) s
        Program received signal SIGSEGV, Segmentation fault.
        0x00007ffff5641adb in SSL_CTX_ctrl () from /lib/x86_64-linux-gnu/libssl.so.1.0.0

Apache Compilation:
$> CFLAGS="-Og -g -ggdb3"; export CFLAGS
$> ./configure --prefix=/apache --with-included-apr --enable-modules=most --enable-mods-shared=all --enable-mime-magic --enable-unique-id --enable-logio --enable-ssl --enable-proxy --enable-proxy-http --enable-deflate --enable-mpms-shared=event worker prefork --enable-nonportable-atomics=yes

ModSec Compilation:
$> CFLAGS="-Og -g -ggdb3"; export CFLAGS
$> ./configure --with-apxs=/apache/bin/apxs --with-apu=/apache/bin/apu-1-config --with-apr=/apache/bin/apr-1-config --with-pcre=/usr/bin/pcre-config

Minimal apache configuration producing the error:
    ServerName      localhost
    ServerAdmin     root@localhost
    ServerRoot      /apache
    PidFile        /tmp/httpd.pid

    Listen          127.0.0.1:443

    LoadModule    mpm_event_module    modules/mod_mpm_event.so
    LoadModule    unixd_module        modules/mod_unixd.so
    LoadModule    ssl_module        modules/mod_ssl.so
    LoadModule      unique_id_module       modules/mod_unique_id.so
    LoadModule      security2_module       modules/mod_security2.so

    SecRule REMOTE_ADDR "@ipMatchFromFile https://blacklistserver.example.com/ip-blacklist.txt"    "id:10500,pass"

    <VirtualHost *:443>
          ServerName localhost
          SSLEngine On
    </VirtualHost>


Unfortunately, I have not compiled  /lib/x86_64-linux-gnu/libssl.so.1.0.0 myself, so I guess that's why I can not
dig into that library with gdb.

I have a core-file if that is needed.

Best,

Christian Folini

Re: [Mod-security-developers] ModSecurity version 2.9.0-RC1 released

[Rainer J. <rai...@ki...>]

Addition: you should also move the line

#ifdef WITH_REMOTE_RULES_SUPPORT

in msc_remote_rules.c higher up in the file. Currently it would still 
include (and need) all header files and only then the if block would 
disable all code. But the curl.h might not be there, so include and 
compilation fails. Moving of the if line directly after

#include "msc_remote_rules.h"

fixes this.

Then there are two more curl dependencies:

- in apache2/re_operators.c in function msre_op_pmFromFile_param_init if 
the file name for pmFromFile is an https URL

- in apache2/msc_util.c in function ip_tree_from_uri if the file name 
for ipmatchFromFile is an https URL

IMHO both features should be disabled (replaced by an error message 
during runtime) if curl is not found.

Thanks and regards,

Rainer

Am 18.11.2014 um 22:29 schrieb Rainer Jung:
> Thanks for producing the RC and sharing.
>
> Building it without curl support we get the expected
>
> NOTE: curl library is only required for building mlogc
>
> output from the configure script, but then the build fails because of
> the new remote rules support. File msc_remote_rules.h unconditionally
> needs curl/curl.h.
>
> I'd say curl is a bit huge and the remote rule support not in the main
> stream use, so having the curl dependency only as an option currently
> would be good.
>
> To not introduce a new mandatory dependency, you should define
> WITH_REMOTE_RULES_SUPPORT only if curl was found by configure.
>
> Regards,
>
> Rainer
>
> Am 18.11.2014 um 14:34 schrieb Felipe Costa:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi,
>>
>> I am proud to announce our first release candidate for version 2.9.0.
>> The 2.9.0-RC1 contains fixes and new features.
>>
>> The documentation is available in our wikipage:
>> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
>>
>> The source and binaries (and the respective hashes) are available at:
>> https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc1
>>
>> SHA256(modsecurity-2.9.0-RC1.tar.gz)=
>> 1a061e09bc7e3218a80bc2004b7e87c8f3a382323b09633e060c16bea5e23098
>> SHA256(ModSecurityIIS_2.9.0-RC1-32b.msi)=
>> 68cd286612ca7026442ec3c409f33a2eaca428d9bb7a297d23a19043f5c31360
>> SHA256(ModSecurityIIS_2.9.0-RC1-64b.msi)=
>> 948ffeda98684c569c22da95d600aca7998f20a85c9345a56086e1a85c1d8ab7
>>
>> We would like to thank you all that helped out making this release:
>> comments,
>> bug reports, and pull requests.
>>
>> The most important changes are listed bellow:
>>
>> New features
>> ============
>>
>> * `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS
>> served
>>     files as parameter.
>> * `SecRemoteRules' directive - allows you to specify a HTTPS served
>> file that
>>    may contain rules in the SecRule format to be loaded into your
>> ModSecurity
>>    instance.
>> * `SecRemoteRulesFailAction' directive - allows you to control
>> whenever the
>>    user wants to Abort or just Warn when there is a problem while
>> downloading
>>    rules specified with the directive: `SecRemoteRules'.
>> * `fuzzyHash' operator - allows to match contents using fuzzy hashes.
>> * `FILES_TMP_CONTENT' collection - make available the content of uploaded
>>    files.
>> * InsecureNoCheckCert - option to validate or not a chain of SSL
>> certificates
>>    on mlogc connections.
>>
>>
>> Bug fixes
>> =========
>>
>> * ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1.
>>    [Issue #676 - Kris Kater and ModSecurity team]
>> * Fixed signature on "status call": ModSecurity is now using the original
>>    server signature.
>>    [Issues #702 - Linas and ModSecurity team]
>> * YAJL version is printed while ModSecurity initialization.
>>    [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda]
>> * Fixed subnet representation using slash notation on the @ipMatch
>> operator.
>>    [Issue #706 - Walter Hop and ModSecurity team]
>> * Limited the length of a status call.
>>    [Issue #714 - 'cpanelkurt' and ModSecurity team]
>> * Added the missing -P option to nginx regression tests.
>>    [Issue #720 - Paul Yang]
>> * Fixed automake scripts to do not use features which will be
>> deprecated in the
>>    upcoming releases of automake.
>>    [Issue #760 - ModSecurity team]
>> * apr-utils's LDFALGS is now considered while building ModSecurity.
>>    [Issue #782 - Daniel J. Luke]
>> * IIS installer is not considering IIS 6 as compatible anymore.
>>    [Issue #790 - ModSecurity team]
>> * Fixed yajl build script: now looking for the correct header file.
>>    [Issue #804 - 'rpfilomeno' and ModSecurity team]
>> * mlgoc is now forced to use TLS 1.x.
>>    [Issue #806 - Josh Amishav-Zlatin and ModSecurity team]
>>
>>
>> Br.,
>> Felipe "Zimmerle" Costa
>> Security Researcher, SpiderLabs
>>
>> Trustwave | SMART SECURITY ON DEMAND
>> www.trustwave.com <http://www.trustwave.com/>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: GPGTools - https://gpgtools.org
>>
>> iEYEARECAAYFAlRrRO0ACgkQ5t+wjOixEneDsQCfdQO7tsVdlBJB4bKQkRFzvpP+
>> m8EAn2ToUijuHIKpOm9yWdcwsuZ5yBW+
>> =80Ng
>> -----END PGP SIGNATURE-----
>>
>> ________________________________
>>
>> This transmission may contain information that is privileged,
>> confidential, and/or exempt from disclosure under applicable law. If
>> you are not the intended recipient, you are hereby notified that any
>> disclosure, copying, distribution, or use of the information contained
>> herein (including any reliance thereon) is strictly prohibited. If you
>> received this transmission in error, please immediately contact the
>> sender and destroy the material in its entirety, whether in electronic
>> or hard copy format.
>>
>> ------------------------------------------------------------------------------
>>
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>>
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php

Re: [Mod-security-developers] ModSecurity version 2.9.0-RC1 released

[Rainer J. <rai...@ki...>]

Thanks for producing the RC and sharing.

Building it without curl support we get the expected

NOTE: curl library is only required for building mlogc

output from the configure script, but then the build fails because of 
the new remote rules support. File msc_remote_rules.h unconditionally 
needs curl/curl.h.

I'd say curl is a bit huge and the remote rule support not in the main 
stream use, so having the curl dependency only as an option currently 
would be good.

To not introduce a new mandatory dependency, you should define 
WITH_REMOTE_RULES_SUPPORT only if curl was found by configure.

Regards,

Rainer

Am 18.11.2014 um 14:34 schrieb Felipe Costa:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I am proud to announce our first release candidate for version 2.9.0.
> The 2.9.0-RC1 contains fixes and new features.
>
> The documentation is available in our wikipage:
> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
>
> The source and binaries (and the respective hashes) are available at:
> https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc1
>
> SHA256(modsecurity-2.9.0-RC1.tar.gz)= 1a061e09bc7e3218a80bc2004b7e87c8f3a382323b09633e060c16bea5e23098
> SHA256(ModSecurityIIS_2.9.0-RC1-32b.msi)= 68cd286612ca7026442ec3c409f33a2eaca428d9bb7a297d23a19043f5c31360
> SHA256(ModSecurityIIS_2.9.0-RC1-64b.msi)= 948ffeda98684c569c22da95d600aca7998f20a85c9345a56086e1a85c1d8ab7
>
> We would like to thank you all that helped out making this release: comments,
> bug reports, and pull requests.
>
> The most important changes are listed bellow:
>
> New features
> ============
>
> * `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS served
>     files as parameter.
> * `SecRemoteRules' directive - allows you to specify a HTTPS served file that
>    may contain rules in the SecRule format to be loaded into your ModSecurity
>    instance.
> * `SecRemoteRulesFailAction' directive - allows you to control whenever the
>    user wants to Abort or just Warn when there is a problem while downloading
>    rules specified with the directive: `SecRemoteRules'.
> * `fuzzyHash' operator - allows to match contents using fuzzy hashes.
> * `FILES_TMP_CONTENT' collection - make available the content of uploaded
>    files.
> * InsecureNoCheckCert - option to validate or not a chain of SSL certificates
>    on mlogc connections.
>
>
> Bug fixes
> =========
>
> * ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1.
>    [Issue #676 - Kris Kater and ModSecurity team]
> * Fixed signature on "status call": ModSecurity is now using the original
>    server signature.
>    [Issues #702 - Linas and ModSecurity team]
> * YAJL version is printed while ModSecurity initialization.
>    [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda]
> * Fixed subnet representation using slash notation on the @ipMatch operator.
>    [Issue #706 - Walter Hop and ModSecurity team]
> * Limited the length of a status call.
>    [Issue #714 - 'cpanelkurt' and ModSecurity team]
> * Added the missing -P option to nginx regression tests.
>    [Issue #720 - Paul Yang]
> * Fixed automake scripts to do not use features which will be deprecated in the
>    upcoming releases of automake.
>    [Issue #760 - ModSecurity team]
> * apr-utils's LDFALGS is now considered while building ModSecurity.
>    [Issue #782 - Daniel J. Luke]
> * IIS installer is not considering IIS 6 as compatible anymore.
>    [Issue #790 - ModSecurity team]
> * Fixed yajl build script: now looking for the correct header file.
>    [Issue #804 - 'rpfilomeno' and ModSecurity team]
> * mlgoc is now forced to use TLS 1.x.
>    [Issue #806 - Josh Amishav-Zlatin and ModSecurity team]
>
>
> Br.,
> Felipe "Zimmerle" Costa
> Security Researcher, SpiderLabs
>
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - https://gpgtools.org
>
> iEYEARECAAYFAlRrRO0ACgkQ5t+wjOixEneDsQCfdQO7tsVdlBJB4bKQkRFzvpP+
> m8EAn2ToUijuHIKpOm9yWdcwsuZ5yBW+
> =80Ng
> -----END PGP SIGNATURE-----
>
> ________________________________
>
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

Re: [Mod-security-developers] [mod-security-packagers] ModSecurity version 2.9.0-RC1 released

[Walter H. <mo...@sp...>]

Thanks for the work!

2.9.0-RC1 built without problems on FreeBSD 10.x (well, some clang warnings if anybody’s interested) and it passes ‘make test’ and our internal regression test, however I have problems running run-regression-tests.pl (which was also the case in last version).

If there are FreeBSD users on the lists, I would invite you to try the preliminary 2.9.0.r1 version of the FreeBSD port. It would be especially interesting if you are running ARM/sparc.

If you are starting from a clean install that has no Apache or ports tree, do this first:
# pkg install apache24 git
# portsnap fetch extract
# echo 'DEFAULT_VERSIONS=apache=2.4' >> /etc/make.conf
# echo 'apache24_enable=YES' >> /etc/rc.conf
# apachectl start

Get the 2.9.0.r1 version of the port and install it:
# git clone -b 2.9.0 https://github.com/lifeforms/mod_security.git
# cd mod_security
# make install

When done, this should display configuration hints and the location of a README file with more info. Follow the instructions on your terminal, or just do this:
# echo 'LoadModule security2_module libexec/apache24/mod_security2.so' >> /usr/local/etc/apache24/httpd.conf
# echo 'Include etc/modsecurity/*.conf' >> /usr/local/etc/apache24/httpd.conf
# apachectl restart
# tail /var/log/httpd-error.log

You should see ModSecurity startup messages there.

The above also works for Apache 2.2; just replace all '4' characters in this message with '2’.

Comments on the README are appreciated.

I plan to add a port option that will automatically install a recent branch of the CRS, but that will likely be for a different update.

Cheers,
WH


> On 18 Nov 2014, at 14:34, Felipe Costa <FC...@tr...> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> I am proud to announce our first release candidate for version 2.9.0.
> The 2.9.0-RC1 contains fixes and new features.
> 
> The documentation is available in our wikipage:
> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
> 
> The source and binaries (and the respective hashes) are available at:
> https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc1
> 
> SHA256(modsecurity-2.9.0-RC1.tar.gz)= 1a061e09bc7e3218a80bc2004b7e87c8f3a382323b09633e060c16bea5e23098
> SHA256(ModSecurityIIS_2.9.0-RC1-32b.msi)= 68cd286612ca7026442ec3c409f33a2eaca428d9bb7a297d23a19043f5c31360
> SHA256(ModSecurityIIS_2.9.0-RC1-64b.msi)= 948ffeda98684c569c22da95d600aca7998f20a85c9345a56086e1a85c1d8ab7
> 
> We would like to thank you all that helped out making this release: comments,
> bug reports, and pull requests.
> 
> The most important changes are listed bellow:
> 
> New features
> ============
> 
> * `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS served
>   files as parameter.
> * `SecRemoteRules' directive - allows you to specify a HTTPS served file that
>  may contain rules in the SecRule format to be loaded into your ModSecurity
>  instance.
> * `SecRemoteRulesFailAction' directive - allows you to control whenever the
>  user wants to Abort or just Warn when there is a problem while downloading
>  rules specified with the directive: `SecRemoteRules'.
> * `fuzzyHash' operator - allows to match contents using fuzzy hashes.
> * `FILES_TMP_CONTENT' collection - make available the content of uploaded
>  files.
> * InsecureNoCheckCert - option to validate or not a chain of SSL certificates
>  on mlogc connections.
> 
> 
> Bug fixes
> =========
> 
> * ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1.
>  [Issue #676 - Kris Kater and ModSecurity team]
> * Fixed signature on "status call": ModSecurity is now using the original
>  server signature.
>  [Issues #702 - Linas and ModSecurity team]
> * YAJL version is printed while ModSecurity initialization.
>  [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda]
> * Fixed subnet representation using slash notation on the @ipMatch operator.
>  [Issue #706 - Walter Hop and ModSecurity team]
> * Limited the length of a status call.
>  [Issue #714 - 'cpanelkurt' and ModSecurity team]
> * Added the missing -P option to nginx regression tests.
>  [Issue #720 - Paul Yang]
> * Fixed automake scripts to do not use features which will be deprecated in the
>  upcoming releases of automake.
>  [Issue #760 - ModSecurity team]
> * apr-utils's LDFALGS is now considered while building ModSecurity.
>  [Issue #782 - Daniel J. Luke]
> * IIS installer is not considering IIS 6 as compatible anymore.
>  [Issue #790 - ModSecurity team]
> * Fixed yajl build script: now looking for the correct header file.
>  [Issue #804 - 'rpfilomeno' and ModSecurity team]
> * mlgoc is now forced to use TLS 1.x.
>  [Issue #806 - Josh Amishav-Zlatin and ModSecurity team]
> 
> 
> Br.,
> Felipe "Zimmerle" Costa
> Security Researcher, SpiderLabs
> 
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - https://gpgtools.org
> 
> iEYEARECAAYFAlRrRO0ACgkQ5t+wjOixEneDsQCfdQO7tsVdlBJB4bKQkRFzvpP+
> m8EAn2ToUijuHIKpOm9yWdcwsuZ5yBW+
> =80Ng
> -----END PGP SIGNATURE-----
> 
> ________________________________
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
> 
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-packagers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-packagers

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp

[Mod-security-developers] ModSecurity version 2.9.0-RC1 released

[Felipe C. <FC...@tr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I am proud to announce our first release candidate for version 2.9.0.
The 2.9.0-RC1 contains fixes and new features.

The documentation is available in our wikipage:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual

The source and binaries (and the respective hashes) are available at:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc1

SHA256(modsecurity-2.9.0-RC1.tar.gz)= 1a061e09bc7e3218a80bc2004b7e87c8f3a382323b09633e060c16bea5e23098
SHA256(ModSecurityIIS_2.9.0-RC1-32b.msi)= 68cd286612ca7026442ec3c409f33a2eaca428d9bb7a297d23a19043f5c31360
SHA256(ModSecurityIIS_2.9.0-RC1-64b.msi)= 948ffeda98684c569c22da95d600aca7998f20a85c9345a56086e1a85c1d8ab7

We would like to thank you all that helped out making this release: comments,
bug reports, and pull requests.

The most important changes are listed bellow:

New features
============

* `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS served
   files as parameter.
* `SecRemoteRules' directive - allows you to specify a HTTPS served file that
  may contain rules in the SecRule format to be loaded into your ModSecurity
  instance.
* `SecRemoteRulesFailAction' directive - allows you to control whenever the
  user wants to Abort or just Warn when there is a problem while downloading
  rules specified with the directive: `SecRemoteRules'.
* `fuzzyHash' operator - allows to match contents using fuzzy hashes.
* `FILES_TMP_CONTENT' collection - make available the content of uploaded
  files.
* InsecureNoCheckCert - option to validate or not a chain of SSL certificates
  on mlogc connections.


Bug fixes
=========

* ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1.
  [Issue #676 - Kris Kater and ModSecurity team]
* Fixed signature on "status call": ModSecurity is now using the original
  server signature.
  [Issues #702 - Linas and ModSecurity team]
* YAJL version is printed while ModSecurity initialization.
  [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda]
* Fixed subnet representation using slash notation on the @ipMatch operator.
  [Issue #706 - Walter Hop and ModSecurity team]
* Limited the length of a status call.
  [Issue #714 - 'cpanelkurt' and ModSecurity team]
* Added the missing -P option to nginx regression tests.
  [Issue #720 - Paul Yang]
* Fixed automake scripts to do not use features which will be deprecated in the
  upcoming releases of automake.
  [Issue #760 - ModSecurity team]
* apr-utils's LDFALGS is now considered while building ModSecurity.
  [Issue #782 - Daniel J. Luke]
* IIS installer is not considering IIS 6 as compatible anymore.
  [Issue #790 - ModSecurity team]
* Fixed yajl build script: now looking for the correct header file.
  [Issue #804 - 'rpfilomeno' and ModSecurity team]
* mlgoc is now forced to use TLS 1.x.
  [Issue #806 - Josh Amishav-Zlatin and ModSecurity team]


Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlRrRO0ACgkQ5t+wjOixEneDsQCfdQO7tsVdlBJB4bKQkRFzvpP+
m8EAn2ToUijuHIKpOm9yWdcwsuZ5yBW+
=80Ng
-----END PGP SIGNATURE-----

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] Test case for cmdLine

[Gong <jz...@ho...>]

>From tests/tfn, I don't see any test cases for transformation function
"cmdLine", can anyone help? Thanks in advance.

 

https://github.com/SpiderLabs/ModSecurity/tree/master/tests/tfn

 

Zhen

[Mod-security-developers] Important: mlogc and SSLv3

[Felipe C. <FC...@tr...>]

Hi,

For those whom are using or distributing mlogc, please apply this patch:

https://gist.github.com/zimmerle/31eae2612c3719c5d1b1

This patch may be necessary, depending on your setup, to allow mlogc to
connects to TLS1.2 servers. Before this patch it was trying SSLv3. This
patch is already applied to our git repository.

Use SSLv3 is not a good idea as explained in the CVE-2014-3566 [1].

Notice that mlogc uses libcurl which will disable SSLv3 support as of:
7.39.0 [2].

If you didn't disabled the SSLv3 support in your web server, which mlogc
is connecting to, it is also a good idea.


[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
[2] http://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html


Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>



________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.