mod-security-developers — Development discussion about mod_security

Re: [Mod-security-developers] [mod-security-users] Does SecPcreMatchLimit work?

[Bruno de A. <br...@sa...>]

Hi Felipe,

All my other tests were from the 2.8.0 tar and not straight from git. For
this test I compiled it from the branch bruno_SecPcreMatchLimit and just
copied the .la and .so files to my test apache.

All I do replicate it is this:

this errors:
 cookie=$(for i in {0..1499}; do echo -n x;done); curl -o /dev/null -v -H
"Cookie: shit=$cookie" http://host

this doesnt:
 cookie=$(for i in {0..1498}; do echo -n x;done); curl -o /dev/null -v -H
"Cookie: shit=$cookie" http://host

Message: Rule 20c8cba8 [id "973302"][file
"/usr/local/apache2/conf/modsecurity.d/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line
"309"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Warning. Match of "streq 0" against "TX:MSC_PCRE_LIMITS_EXCEEDED"
required. [file "/usr/local/apache2-nap/conf/mod_security.conf"] [line
"112"] [id "200005"] [msg "ModSecurity internal error flagged:
TX:MSC_PCRE_LIMITS_EXCEEDED"]


What I said on my original email about the Header size limit of 3985 bytes
is wrong, it's actually any single cookie of 1500 bytes that's the limit. I
guess it makes sense, considering the default pcre match limit is 1500.

Bruno


On 30 October 2014 13:31, Felipe Costa <FC...@tr...> wrote:

> Hi,
>
> Did you had a chance  to test this branch in a clean environment?
> (new clone or even: git clean ­fxd)
>
> Can you share some info on your test environment? So I can try to
> replicate it hereŠ
>
> Br.,
> Felipe "Zimmerle" Costa
> Security Researcher, SpiderLabs
>
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
>
>
>
> From:  Bruno de Almeida <br...@sa...>
> Reply-To:  "mod...@li..."
> <mod...@li...>
> Date:  Thursday, October 30, 2014 2:20 PM
> To:  "mod...@li..."
> <mod...@li...>
> Cc:  "mod...@li..."
> <mod...@li...>
> Subject:  Re: [Mod-security-developers] [mod-security-users] Does
> SecPcreMatchLimit work?
>
>
> Thanks Felipe, but unless I've done something wrong, I got exactly the
> same behaviour.
>
> Compiling with default and increase values in config, I still got the
> error.
> Compiling with -enable-pcre-match-limit=200000 and decrease the values in
> config, I didn't get the errors.
>
>
> Bruno
>
>
> On 30 October 2014 12:36, Felipe Costa <FC...@tr...> wrote:
>
> Hi Bruno,
>
> It seems that those limits - while specified using SecPcreMatchLimit and
> SecPcreMatchLimitRecursion - was not being verified in 100% of the cases.
>
> Just made a quick patch to enforce those limits verification in 100% of
> the cases, it is currently being checked by our buildbots, it is available
> at this branch:
>
>
> https://github.com/SpiderLabs/ModSecurity/tree/bruno_SecPcreMatchLimit
> <
> http://scanmail.trustwave.com/?c=4062&d=kfPS1CdsVpYA1mTb4IMKHhxGWCezydKGdz
> NITZTb1Q&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2ftree
> %2fbruno%5fSecPcreMatchLimit>
>
> Can you test it?
>
> Br.,
> Felipe "Zimmerle" Costa
> Security Researcher, SpiderLabs
>
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com> <http://www.trustwave.com/>
>
>
>
>
>
>
>
> From:  Bruno de Almeida <br...@sa...>
> Reply-To:  "mod...@li..."
> <mod...@li...>
> Date:  Thursday, October 30, 2014 11:56 AM
> To:  "mod...@li..."
> <mod...@li...>
> Subject:  [mod-security-users] Does SecPcreMatchLimit work?
>
>
> Hi All,
>
> I'm upgrading modsec and the owaps_crs ruls on some of our servers and I
> ran into a bit of an issue with some of the owasp rules, specifically the
> XSS ones that inspect Cookies.
>
> We have some rather large Cookie headers on our setup and I noticed that
> after compiling mod_sec with the following options, I was getting a LOT of
> 'Execution error - PCRE limits exceeded' errors.
>
>     --host=x86_64-redhat-linux-gnu \
>     --build=x86_64-redhat-linux-gnu \
>     --target=x86_64-redhat-linux \
>     --with-apxs=%{_apacheroot}/bin/apxs \
>     --with-apr=%{_apacheroot}/bin/apr-1-config \
>     --with-apu=%{_apacheroot}/bin/apu-1-config \
>     --with-pcre=%{include_pcre} \
>     --with-libxml=%{include_libxml2} \
>     --enable-pcre-jit \
>     --enable-pcre-study \
>     --enable-lua-cache \
>
>
> I tried to increase SecPcreMatchLimit and SecPcreMatchLimitRecursion to
> very high numbers and it didn't make any difference.
>
>
> I also found that 3985 bytes was the maximum Cookie header size mod_sec
> would accept. 1 byte more and it would throw the PCRE limits exceeded
> error.
>
>
> I then re-compiled mod_sec and added these options:
>
>     --enable-pcre-match-limit=200000 \
>     --enable-pcre-match-limit-recursion=200000
>
>
> And the problem was gone, but I then tried to decrease the limits to very
> low numbers and I still wouldn't get the errors, which kind of tells me
> that changing these values after compilation doesn't work.
>
> These are the versions I'm running:
>
> [Thu Oct 30 14:47:12 2014] [notice] ModSecurity for Apache/2.8.0
> (http://www.modsecurity.org/
> <
> http://scanmail.trustwave.com/?c=4062&d=kfPS1CdsVpYA1mTb4IMKHhxGWCezydKGdz
> ZIFcTf3g&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2f>
>
>
> <
> http://scanmail.trustwave.com/?c=4062&d=5tjS1In-ovEV28gWsuStqSbOwvejzmh-LC
> HFLJO5Bw&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2f
> <
> http://scanmail.trustwave.com/?c=4062&d=kfPS1CdsVpYA1mTb4IMKHhxGWCezydKGdz
> ZIFcTf3g&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2f>>) configured.
> [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: APR compiled
> version="1.5.1"; loaded version="1.5.1"
> [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: PCRE compiled
> version="8.36 "; loaded version="8.36 2014-09-26"
> [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LUA compiled version="Lua
> 5.1"
> [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LIBXML compiled
> version="2.9.1"
>
>
>
> Thanks,
>
>
>
> --
> - Bruno
>
>
> ________________________________
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information
>  contained herein (including any reliance thereon) is strictly prohibited.
> If you received this transmission in error, please immediately contact the
> sender and destroy the material in its entirety, whether in electronic or
> hard copy format.
>
> ---------------------------------------------------------------------------
> ---
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> <
> http://scanmail.trustwave.com/?c=4062&d=kfPS1CdsVpYA1mTb4IMKHhxGWCezydKGd2
> FLTMXcgw&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2
> fmod-security-developers>
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
>
>
>
>
>
> --
> - Bruno
>
>
> ________________________________
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>



-- 
- Bruno

Re: [Mod-security-developers] [mod-security-users] Does SecPcreMatchLimit work?

[Felipe C. <FC...@tr...>]

Hi,

Did you had a chance  to test this branch in a clean environment?
(new clone or even: git clean ­fxd)

Can you share some info on your test environment? So I can try to
replicate it hereŠ

Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>



From:  Bruno de Almeida <br...@sa...>
Reply-To:  "mod...@li..."
<mod...@li...>
Date:  Thursday, October 30, 2014 2:20 PM
To:  "mod...@li..."
<mod...@li...>
Cc:  "mod...@li..."
<mod...@li...>
Subject:  Re: [Mod-security-developers] [mod-security-users] Does
SecPcreMatchLimit work?


Thanks Felipe, but unless I've done something wrong, I got exactly the
same behaviour.

Compiling with default and increase values in config, I still got the
error.
Compiling with -enable-pcre-match-limit=200000 and decrease the values in
config, I didn't get the errors.


Bruno


On 30 October 2014 12:36, Felipe Costa <FC...@tr...> wrote:

Hi Bruno,

It seems that those limits - while specified using SecPcreMatchLimit and
SecPcreMatchLimitRecursion - was not being verified in 100% of the cases.

Just made a quick patch to enforce those limits verification in 100% of
the cases, it is currently being checked by our buildbots, it is available
at this branch:


https://github.com/SpiderLabs/ModSecurity/tree/bruno_SecPcreMatchLimit
<http://scanmail.trustwave.com/?c=4062&d=kfPS1CdsVpYA1mTb4IMKHhxGWCezydKGdz
NITZTb1Q&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2ftree
%2fbruno%5fSecPcreMatchLimit>

Can you test it?

Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com> <http://www.trustwave.com/>







From:  Bruno de Almeida <br...@sa...>
Reply-To:  "mod...@li..."
<mod...@li...>
Date:  Thursday, October 30, 2014 11:56 AM
To:  "mod...@li..."
<mod...@li...>
Subject:  [mod-security-users] Does SecPcreMatchLimit work?


Hi All,

I'm upgrading modsec and the owaps_crs ruls on some of our servers and I
ran into a bit of an issue with some of the owasp rules, specifically the
XSS ones that inspect Cookies.

We have some rather large Cookie headers on our setup and I noticed that
after compiling mod_sec with the following options, I was getting a LOT of
'Execution error - PCRE limits exceeded' errors.

    --host=x86_64-redhat-linux-gnu \
    --build=x86_64-redhat-linux-gnu \
    --target=x86_64-redhat-linux \
    --with-apxs=%{_apacheroot}/bin/apxs \
    --with-apr=%{_apacheroot}/bin/apr-1-config \
    --with-apu=%{_apacheroot}/bin/apu-1-config \
    --with-pcre=%{include_pcre} \
    --with-libxml=%{include_libxml2} \
    --enable-pcre-jit \
    --enable-pcre-study \
    --enable-lua-cache \


I tried to increase SecPcreMatchLimit and SecPcreMatchLimitRecursion to
very high numbers and it didn't make any difference.


I also found that 3985 bytes was the maximum Cookie header size mod_sec
would accept. 1 byte more and it would throw the PCRE limits exceeded
error.


I then re-compiled mod_sec and added these options:

    --enable-pcre-match-limit=200000 \
    --enable-pcre-match-limit-recursion=200000


And the problem was gone, but I then tried to decrease the limits to very
low numbers and I still wouldn't get the errors, which kind of tells me
that changing these values after compilation doesn't work.

These are the versions I'm running:

[Thu Oct 30 14:47:12 2014] [notice] ModSecurity for Apache/2.8.0
(http://www.modsecurity.org/
<http://scanmail.trustwave.com/?c=4062&d=kfPS1CdsVpYA1mTb4IMKHhxGWCezydKGdz
ZIFcTf3g&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2f>


<http://scanmail.trustwave.com/?c=4062&d=5tjS1In-ovEV28gWsuStqSbOwvejzmh-LC
HFLJO5Bw&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2f
<http://scanmail.trustwave.com/?c=4062&d=kfPS1CdsVpYA1mTb4IMKHhxGWCezydKGdz
ZIFcTf3g&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2f>>) configured.
[Thu Oct 30 14:47:12 2014] [notice] ModSecurity: APR compiled
version="1.5.1"; loaded version="1.5.1"
[Thu Oct 30 14:47:12 2014] [notice] ModSecurity: PCRE compiled
version="8.36 "; loaded version="8.36 2014-09-26"
[Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LUA compiled version="Lua
5.1"
[Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LIBXML compiled
version="2.9.1"



Thanks,



--
- Bruno


________________________________

This transmission may contain information that is privileged,
confidential, and/or exempt from disclosure under applicable law. If you
are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information
 contained herein (including any reliance thereon) is strictly prohibited.
If you received this transmission in error, please immediately contact the
sender and destroy the material in its entirety, whether in electronic or
hard copy format.

---------------------------------------------------------------------------
---
_______________________________________________
mod-security-developers mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
<http://scanmail.trustwave.com/?c=4062&d=kfPS1CdsVpYA1mTb4IMKHhxGWCezydKGd2
FLTMXcgw&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2
fmod-security-developers>
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php






--
- Bruno


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] [mod-security-users] Does SecPcreMatchLimit work?

[Bruno de A. <br...@sa...>]

Thanks Felipe, but unless I've done something wrong, I got exactly the same
behaviour.

Compiling with default and increase values in config, I still got the error.
Compiling with -enable-pcre-match-limit=200000 and decrease the values in
config, I didn't get the errors.


Bruno

On 30 October 2014 12:36, Felipe Costa <FC...@tr...> wrote:

> Hi Bruno,
>
> It seems that those limits - while specified using SecPcreMatchLimit and
> SecPcreMatchLimitRecursion - was not being verified in 100% of the cases.
>
> Just made a quick patch to enforce those limits verification in 100% of
> the cases, it is currently being checked by our buildbots, it is available
> at this branch:
>
>
> https://github.com/SpiderLabs/ModSecurity/tree/bruno_SecPcreMatchLimit
>
> Can you test it?
>
> Br.,
> Felipe "Zimmerle" Costa
> Security Researcher, SpiderLabs
>
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
>
>
>
>
>
>
>
> From:  Bruno de Almeida <br...@sa...>
> Reply-To:  "mod...@li..."
> <mod...@li...>
> Date:  Thursday, October 30, 2014 11:56 AM
> To:  "mod...@li..."
> <mod...@li...>
> Subject:  [mod-security-users] Does SecPcreMatchLimit work?
>
>
> Hi All,
>
> I'm upgrading modsec and the owaps_crs ruls on some of our servers and I
> ran into a bit of an issue with some of the owasp rules, specifically the
> XSS ones that inspect Cookies.
>
> We have some rather large Cookie headers on our setup and I noticed that
> after compiling mod_sec with the following options, I was getting a LOT of
> 'Execution error - PCRE limits exceeded' errors.
>
>     --host=x86_64-redhat-linux-gnu \
>     --build=x86_64-redhat-linux-gnu \
>     --target=x86_64-redhat-linux \
>     --with-apxs=%{_apacheroot}/bin/apxs \
>     --with-apr=%{_apacheroot}/bin/apr-1-config \
>     --with-apu=%{_apacheroot}/bin/apu-1-config \
>     --with-pcre=%{include_pcre} \
>     --with-libxml=%{include_libxml2} \
>     --enable-pcre-jit \
>     --enable-pcre-study \
>     --enable-lua-cache \
>
>
> I tried to increase SecPcreMatchLimit and SecPcreMatchLimitRecursion to
> very high numbers and it didn't make any difference.
>
>
> I also found that 3985 bytes was the maximum Cookie header size mod_sec
> would accept. 1 byte more and it would throw the PCRE limits exceeded
> error.
>
>
> I then re-compiled mod_sec and added these options:
>
>     --enable-pcre-match-limit=200000 \
>     --enable-pcre-match-limit-recursion=200000
>
>
> And the problem was gone, but I then tried to decrease the limits to very
> low numbers and I still wouldn't get the errors, which kind of tells me
> that changing these values after compilation doesn't work.
>
> These are the versions I'm running:
>
> [Thu Oct 30 14:47:12 2014] [notice] ModSecurity for Apache/2.8.0
> (http://www.modsecurity.org/
> <
> http://scanmail.trustwave.com/?c=4062&d=5tjS1In-ovEV28gWsuStqSbOwvejzmh-LC
> HFLJO5Bw&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2f>) configured.
> [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: APR compiled
> version="1.5.1"; loaded version="1.5.1"
> [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: PCRE compiled
> version="8.36 "; loaded version="8.36 2014-09-26"
> [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LUA compiled version="Lua
> 5.1"
> [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LIBXML compiled
> version="2.9.1"
>
>
>
> Thanks,
>
>
>
> --
> - Bruno
>
>
> ________________________________
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>



-- 
- Bruno

Re: [Mod-security-developers] [mod-security-users] Does SecPcreMatchLimit work?

[Felipe C. <FC...@tr...>]

Hi Bruno,

It seems that those limits - while specified using SecPcreMatchLimit and
SecPcreMatchLimitRecursion - was not being verified in 100% of the cases.

Just made a quick patch to enforce those limits verification in 100% of
the cases, it is currently being checked by our buildbots, it is available
at this branch:


https://github.com/SpiderLabs/ModSecurity/tree/bruno_SecPcreMatchLimit

Can you test it?

Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>







From:  Bruno de Almeida <br...@sa...>
Reply-To:  "mod...@li..."
<mod...@li...>
Date:  Thursday, October 30, 2014 11:56 AM
To:  "mod...@li..."
<mod...@li...>
Subject:  [mod-security-users] Does SecPcreMatchLimit work?


Hi All,

I'm upgrading modsec and the owaps_crs ruls on some of our servers and I
ran into a bit of an issue with some of the owasp rules, specifically the
XSS ones that inspect Cookies.

We have some rather large Cookie headers on our setup and I noticed that
after compiling mod_sec with the following options, I was getting a LOT of
'Execution error - PCRE limits exceeded' errors.

    --host=x86_64-redhat-linux-gnu \
    --build=x86_64-redhat-linux-gnu \
    --target=x86_64-redhat-linux \
    --with-apxs=%{_apacheroot}/bin/apxs \
    --with-apr=%{_apacheroot}/bin/apr-1-config \
    --with-apu=%{_apacheroot}/bin/apu-1-config \
    --with-pcre=%{include_pcre} \
    --with-libxml=%{include_libxml2} \
    --enable-pcre-jit \
    --enable-pcre-study \
    --enable-lua-cache \


I tried to increase SecPcreMatchLimit and SecPcreMatchLimitRecursion to
very high numbers and it didn't make any difference.


I also found that 3985 bytes was the maximum Cookie header size mod_sec
would accept. 1 byte more and it would throw the PCRE limits exceeded
error.


I then re-compiled mod_sec and added these options:

    --enable-pcre-match-limit=200000 \
    --enable-pcre-match-limit-recursion=200000


And the problem was gone, but I then tried to decrease the limits to very
low numbers and I still wouldn't get the errors, which kind of tells me
that changing these values after compilation doesn't work.

These are the versions I'm running:

[Thu Oct 30 14:47:12 2014] [notice] ModSecurity for Apache/2.8.0
(http://www.modsecurity.org/
<http://scanmail.trustwave.com/?c=4062&d=5tjS1In-ovEV28gWsuStqSbOwvejzmh-LC
HFLJO5Bw&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2f>) configured.
[Thu Oct 30 14:47:12 2014] [notice] ModSecurity: APR compiled
version="1.5.1"; loaded version="1.5.1"
[Thu Oct 30 14:47:12 2014] [notice] ModSecurity: PCRE compiled
version="8.36 "; loaded version="8.36 2014-09-26"
[Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LUA compiled version="Lua
5.1"
[Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LIBXML compiled
version="2.9.1"



Thanks,



--
- Bruno


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] Schedule for v2.8.1?

[Walter H. <mo...@sp...>]

Hi Felipe,

That sounds great and I’ll reserve time to test the new version. (For the last version, unfortunately that schedule was squeezed due to Heartbleed drama.) Good luck!

Cheers!
WH


> On 23 Oct 2014, at 04:24, Felipe Costa <FC...@tr...> wrote:
> 
> Hey,
> 
> Thanks for the interest!
> 
> We have postponed this next release due to the opened merge requests and
> bugs that we desire to close before any new release, specially on our
> nginx version. Since we release all platforms together, we were wishing to
> have those problems addressed first. But time has passed and we were not
> able to work on some of those issues yet, thus, I think that we will need
> to release anyway and add "known issues" as part of the release notes.
> 
> It seems that release them all together (IIS, Apache, Nginx, Standalone)
> is hindering more than helping, since we have to coordinate the releases,
> benefits, and new features on all of these platforms. I hope to have a
> version for the core and others versions for each independent
> server/platform or specific implementation on further "major changes" in
> ModSecurity (not going to happen for this next release), allowing us to
> address the release/bugs in a faster way.
> 
> As the release also involves community work (specially packagers), and we
> have some new features that are about to be merged into our master, as
> example of `ssdeep' support (@fuzzyHash operator), I would like to merge
> these new features before the release. We also have some merge requests
> and other minor bugs that can be closed and included on the release.
> 
> Considering this new features and bug fixes, I would say that mid-november
> (3 weeks from now) sounds like a good date for a release candidate. I
> would love to count on you to help us testing it.
> 
> 
> Br.,
> Felipe "Zimmerle" Costa
> Security Researcher, SpiderLabs
> 
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
> 
> 
> 
> 
> 
> On 10/22/14 4:55 PM, "Christian Folini" <chr...@ti...>
> wrote:
> 
>> I'd sure second that!
>> 
>> Christian
>> 
>> On Wed, Oct 22, 2014 at 12:51:21PM +0200, Walter Hop wrote:
>>> Hi all,
>>> 
>>> I¹m wondering if there¹s any data on a release schedule for v2.8.1.
>>> 
>>> The 2.8.0 release had a showstopper bug in IP matching for me (github
>>> issue 706) which is long fixed in master. I¹d really like to update the
>>> FreeBSD port to a recent version (currently at 2.7.7), but I¹m torn, as
>>> I can¹t use 2.8.0 myself currently, and I really would prefer not to add
>>> downstream patches.
>>> 
>>> If there¹s not much happening feature wise, would it be possible to do
>>> a small release with only some fixes?
>>> 
>>> Cheers!
>>> WH
>>> 
>>> --
>>> Walter Hop | PGP key:
>>> http://scanmail.trustwave.com/?c=4062&d=zIvI1FKjiXHeAmsnWPRb7sYZPkGr9Bttz
>>> RZgHnSsWQ&s=5&u=https%3a%2f%2flifeforms%2enl%2fpgp
>>> 
>> 
>>> 
>>> -------------------------------------------------------------------------
>>> -----
>>> Comprehensive Server Monitoring with Site24x7.
>>> Monitor 10 servers for $9/Month.
>>> Get alerted through email, SMS, voice calls or mobile push
>>> notifications.
>>> Take corrective actions from your mobile device.
>>> 
>>> http://scanmail.trustwave.com/?c=4062&d=zIvI1FKjiXHeAmsnWPRb7sYZPkGr9Bttz
>>> RFhS3SuVw&s=5&u=http%3a%2f%2fp%2esf%2enet%2fsfu%2fZoho
>> 
>>> _______________________________________________
>>> mod-security-developers mailing list
>>> mod...@li...
>>> 
>>> http://scanmail.trustwave.com/?c=4062&d=zIvI1FKjiXHeAmsnWPRb7sYZPkGr9Bttz
>>> RBgFneoCg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinf
>>> o%2fmod-security-developers
>>> ModSecurity Services from Trustwave's SpiderLabs:
>>> https://www.trustwave.com/spiderLabs.php
>> 
>> 
>> --------------------------------------------------------------------------
>> ----
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> http://scanmail.trustwave.com/?c=4062&d=zIvI1FKjiXHeAmsnWPRb7sYZPkGr9BttzR
>> BgFneoCg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%
>> 2fmod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
> 
> 
> ________________________________
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp

Re: [Mod-security-developers] Schedule for v2.8.1?

[Christian F. <chr...@ti...>]

Thanks for the schedule.

I'll try and test in time.

Christian

On Thu, Oct 23, 2014 at 02:24:08AM +0000, Felipe Costa wrote:
> Hey,
> 
> Thanks for the interest!
> 
> We have postponed this next release due to the opened merge requests and
> bugs that we desire to close before any new release, specially on our
> nginx version. Since we release all platforms together, we were wishing to
> have those problems addressed first. But time has passed and we were not
> able to work on some of those issues yet, thus, I think that we will need
> to release anyway and add "known issues" as part of the release notes.
> 
> It seems that release them all together (IIS, Apache, Nginx, Standalone)
> is hindering more than helping, since we have to coordinate the releases,
> benefits, and new features on all of these platforms. I hope to have a
> version for the core and others versions for each independent
> server/platform or specific implementation on further "major changes" in
> ModSecurity (not going to happen for this next release), allowing us to
> address the release/bugs in a faster way.
> 
> As the release also involves community work (specially packagers), and we
> have some new features that are about to be merged into our master, as
> example of `ssdeep' support (@fuzzyHash operator), I would like to merge
> these new features before the release. We also have some merge requests
> and other minor bugs that can be closed and included on the release.
> 
> Considering this new features and bug fixes, I would say that mid-november
> (3 weeks from now) sounds like a good date for a release candidate. I
> would love to count on you to help us testing it.
> 
> 
> Br.,
> Felipe "Zimmerle" Costa
> Security Researcher, SpiderLabs
> 
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
> 
> 
> 
> 
> 
> On 10/22/14 4:55 PM, "Christian Folini" <chr...@ti...>
> wrote:
> 
> >I'd sure second that!
> >
> >Christian
> >
> >On Wed, Oct 22, 2014 at 12:51:21PM +0200, Walter Hop wrote:
> >> Hi all,
> >>
> >> I¹m wondering if there¹s any data on a release schedule for v2.8.1.
> >>
> >> The 2.8.0 release had a showstopper bug in IP matching for me (github
> >>issue 706) which is long fixed in master. I¹d really like to update the
> >>FreeBSD port to a recent version (currently at 2.7.7), but I¹m torn, as
> >>I can¹t use 2.8.0 myself currently, and I really would prefer not to add
> >>downstream patches.
> >>
> >> If there¹s not much happening feature wise, would it be possible to do
> >>a small release with only some fixes?
> >>
> >> Cheers!
> >> WH
> >>
> >> --
> >> Walter Hop | PGP key:
> >>http://scanmail.trustwave.com/?c=4062&d=zIvI1FKjiXHeAmsnWPRb7sYZPkGr9Bttz
> >>RZgHnSsWQ&s=5&u=https%3a%2f%2flifeforms%2enl%2fpgp
> >>
> >
> >>
> >>-------------------------------------------------------------------------
> >>-----
> >> Comprehensive Server Monitoring with Site24x7.
> >> Monitor 10 servers for $9/Month.
> >> Get alerted through email, SMS, voice calls or mobile push
> >>notifications.
> >> Take corrective actions from your mobile device.
> >>
> >>http://scanmail.trustwave.com/?c=4062&d=zIvI1FKjiXHeAmsnWPRb7sYZPkGr9Bttz
> >>RFhS3SuVw&s=5&u=http%3a%2f%2fp%2esf%2enet%2fsfu%2fZoho
> >
> >> _______________________________________________
> >> mod-security-developers mailing list
> >> mod...@li...
> >>
> >>http://scanmail.trustwave.com/?c=4062&d=zIvI1FKjiXHeAmsnWPRb7sYZPkGr9Bttz
> >>RBgFneoCg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinf
> >>o%2fmod-security-developers
> >> ModSecurity Services from Trustwave's SpiderLabs:
> >> https://www.trustwave.com/spiderLabs.php
> >
> >
> >--------------------------------------------------------------------------
> >----
> >_______________________________________________
> >mod-security-developers mailing list
> >mod...@li...
> >http://scanmail.trustwave.com/?c=4062&d=zIvI1FKjiXHeAmsnWPRb7sYZPkGr9BttzR
> >BgFneoCg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%
> >2fmod-security-developers
> >ModSecurity Services from Trustwave's SpiderLabs:
> >https://www.trustwave.com/spiderLabs.php
> 
> 
> ________________________________
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

Re: [Mod-security-developers] Schedule for v2.8.1?

[Felipe C. <FC...@tr...>]

Hey,

Thanks for the interest!

We have postponed this next release due to the opened merge requests and
bugs that we desire to close before any new release, specially on our
nginx version. Since we release all platforms together, we were wishing to
have those problems addressed first. But time has passed and we were not
able to work on some of those issues yet, thus, I think that we will need
to release anyway and add "known issues" as part of the release notes.

It seems that release them all together (IIS, Apache, Nginx, Standalone)
is hindering more than helping, since we have to coordinate the releases,
benefits, and new features on all of these platforms. I hope to have a
version for the core and others versions for each independent
server/platform or specific implementation on further "major changes" in
ModSecurity (not going to happen for this next release), allowing us to
address the release/bugs in a faster way.

As the release also involves community work (specially packagers), and we
have some new features that are about to be merged into our master, as
example of `ssdeep' support (@fuzzyHash operator), I would like to merge
these new features before the release. We also have some merge requests
and other minor bugs that can be closed and included on the release.

Considering this new features and bug fixes, I would say that mid-november
(3 weeks from now) sounds like a good date for a release candidate. I
would love to count on you to help us testing it.


Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>





On 10/22/14 4:55 PM, "Christian Folini" <chr...@ti...>
wrote:

>I'd sure second that!
>
>Christian
>
>On Wed, Oct 22, 2014 at 12:51:21PM +0200, Walter Hop wrote:
>> Hi all,
>>
>> I¹m wondering if there¹s any data on a release schedule for v2.8.1.
>>
>> The 2.8.0 release had a showstopper bug in IP matching for me (github
>>issue 706) which is long fixed in master. I¹d really like to update the
>>FreeBSD port to a recent version (currently at 2.7.7), but I¹m torn, as
>>I can¹t use 2.8.0 myself currently, and I really would prefer not to add
>>downstream patches.
>>
>> If there¹s not much happening feature wise, would it be possible to do
>>a small release with only some fixes?
>>
>> Cheers!
>> WH
>>
>> --
>> Walter Hop | PGP key:
>>http://scanmail.trustwave.com/?c=4062&d=zIvI1FKjiXHeAmsnWPRb7sYZPkGr9Bttz
>>RZgHnSsWQ&s=5&u=https%3a%2f%2flifeforms%2enl%2fpgp
>>
>
>>
>>-------------------------------------------------------------------------
>>-----
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push
>>notifications.
>> Take corrective actions from your mobile device.
>>
>>http://scanmail.trustwave.com/?c=4062&d=zIvI1FKjiXHeAmsnWPRb7sYZPkGr9Bttz
>>RFhS3SuVw&s=5&u=http%3a%2f%2fp%2esf%2enet%2fsfu%2fZoho
>
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>>
>>http://scanmail.trustwave.com/?c=4062&d=zIvI1FKjiXHeAmsnWPRb7sYZPkGr9Bttz
>>RBgFneoCg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinf
>>o%2fmod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>
>
>--------------------------------------------------------------------------
>----
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>http://scanmail.trustwave.com/?c=4062&d=zIvI1FKjiXHeAmsnWPRb7sYZPkGr9BttzR
>BgFneoCg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%
>2fmod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] Schedule for v2.8.1?

[Christian F. <chr...@ti...>]

I'd sure second that!

Christian

On Wed, Oct 22, 2014 at 12:51:21PM +0200, Walter Hop wrote:
> Hi all,
> 
> I’m wondering if there’s any data on a release schedule for v2.8.1.
> 
> The 2.8.0 release had a showstopper bug in IP matching for me (github issue 706) which is long fixed in master. I’d really like to update the FreeBSD port to a recent version (currently at 2.7.7), but I’m torn, as I can’t use 2.8.0 myself currently, and I really would prefer not to add downstream patches.
> 
> If there’s not much happening feature wise, would it be possible to do a small release with only some fixes?
> 
> Cheers!
> WH
> 
> -- 
> Walter Hop | PGP key: https://lifeforms.nl/pgp
> 

> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://p.sf.net/sfu/Zoho

> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

[Mod-security-developers] Schedule for v2.8.1?

[Walter H. <mo...@sp...>]

Hi all,

I’m wondering if there’s any data on a release schedule for v2.8.1.

The 2.8.0 release had a showstopper bug in IP matching for me (github issue 706) which is long fixed in master. I’d really like to update the FreeBSD port to a recent version (currently at 2.7.7), but I’m torn, as I can’t use 2.8.0 myself currently, and I really would prefer not to add downstream patches.

If there’s not much happening feature wise, would it be possible to do a small release with only some fixes?

Cheers!
WH

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp

Re: [Mod-security-developers] ModSecurity extension for Nginx

[Christian F. <chr...@ti...>]

Hoang Hai Nam,

This is the developer list. Your question is better served on the user list.

The brief answer is this: It depends on your situation and your application. Generally, the expensive rules are
those applied to big chunks of data. Typically the rules working on the reponse body are very heavy. You
can chose to disable reponse body access and get a big performance boost. But it might be safer to
review the requests/resonses and the rules one by one and pick those expensive rules on those requests/responses
where they do not serve any good. If you have a static 1MB CSS, there is little point in running a ton of
regexes on that output with every request/reponse. It all depends on your local tuning. _You_ need to do
that work. Do it throughly and you won't face a performance problem. Fail to do it properly and you
will have to disable ModSec again because of bad performance.

Best,

Christian Folini


Hoang Hai Nam <na...@gm...> , 10/20/2014 10:17 AM:
Hi Carlos,
How many rules you applied for your system? I intend to use the whole the "Core rule set", It has a lot of rules, than if I use it each user's request will be inspect by hundreds of rules. 
Meanwhile reverse proxy ModSecurity becomes the bottleneck of the whole system.

On Mon, Oct 20, 2014 at 2:40 PM, Carlos Vidal <ca...@ta...> wrote:
I'm using nginx+modsec with a webmail system (Zimbra) hosting 25K users and it works pretty well. Performance depends of course on the number of rules you apply and in which phases. You can define hundreds of rules but have only a few that are used in the most common requests. If performance is paramount for your site, you will need to spend some time analyzing modsec logs to find which rules give you the highest "protection/load" ratio.

On Mon, Oct 20, 2014 at 6:27 AM, Hoang Hai Nam <na...@gm...> wrote:
Hi everyone,
I'm planning to use ModSecurity for Nginx (reverse proxy form) to protect the multipe my company's website, but I confused for Development Status: BETA, and I do not know that ModSecurity for Nginx has stable performance with Core Rule Set or not?

Nginx has a very good performance when used as a reverse proxy, so I want to ask for advices on the using Nginx with ModSecurity

Looking forward to reply, Thanks all very much.

-- 
Best regards,
-----------------------------------------------------------------------------
Hoang Hai Nam, senior
Department of           Software Engineering
School of Information and Communication Technology (SoICT, http://www.soict.hut.edu.vn)
Hanoi University of Science and Technology (HUST, http://www.hut.edu.vn)
C1 Building - No 1, Dai Co Viet Street, Ha Noi, Vietnam 
Yahoo: soap412 
Mobile: +84 (0)9.13.09.66.46
Facebook: https://www.facebook.com/nam.hoanghai
E-mail: na...@gm...           nam...@ho...
  
------------------------------------------------------------------------------
 Comprehensive Server Monitoring with Site24x7.
 Monitor 10 servers for $9/Month.
 Get alerted through email, SMS, voice calls or mobile push notifications.
 Take corrective actions from your mobile device.
 http://p.sf.net/sfu/Zoho
_______________________________________________
 mod-security-developers mailing list
 mod...@li...
 https://lists.sourceforge.net/lists/listinfo/mod-security-developers
 ModSecurity Services from Trustwave's SpiderLabs:
 https://www.trustwave.com/spiderLabs.php

 
------------------------------------------------------------------------------
 Comprehensive Server Monitoring with Site24x7.
 Monitor 10 servers for $9/Month.
 Get alerted through email, SMS, voice calls or mobile push notifications.
 Take corrective actions from your mobile device.
 http://p.sf.net/sfu/Zoho
_______________________________________________
 mod-security-developers mailing list
 mod...@li...
 https://lists.sourceforge.net/lists/listinfo/mod-security-developers
 ModSecurity Services from Trustwave's SpiderLabs:
 https://www.trustwave.com/spiderLabs.php



-- 
Best regards,
-----------------------------------------------------------------------------
Hoang Hai Nam, senior
Department of           Software Engineering
School of Information and Communication Technology (SoICT, http://www.soict.hut.edu.vn)
Hanoi University of Science and Technology (HUST, http://www.hut.edu.vn)
C1 Building - No 1, Dai Co Viet Street, Ha Noi, Vietnam 
Yahoo: soap412 
Mobile: +84 (0)9.13.09.66.46
Facebook: https://www.facebook.com/nam.hoanghai
E-mail: na...@gm...           nam...@ho...
  

------------------------------------------------------------------------------ 
Comprehensive Server Monitoring with Site24x7. 
Monitor 10 servers for $9/Month. 
Get alerted through email, SMS, voice calls or mobile push notifications. 
Take corrective actions from your mobile device. 
http://p.sf.net/sfu/Zoho

_______________________________________________ 
mod-security-developers mailing list 
mod...@li... 
https://lists.sourceforge.net/lists/listinfo/mod-security-developers 
ModSecurity Services from Trustwave's SpiderLabs: 
https://www.trustwave.com/spiderLabs.php

Re: [Mod-security-developers] ModSecurity extension for Nginx

[Carlos V. <ca...@ta...>]

I use the Core rules too, but with some escape routes. I don't know how
your web site works, but in most cases you can identify a few usage
patterns. In my case, a request can be authenticated, under authentication,
or public. As a webmail  has very few public requests (normally only access
to js, css, icons, and images), rules are more stringent there. If it is
under authentication, we count the number of "bad password" answer and
block the IP for 10 minutes after 3. If the user is authenticated and the
URI falls in a set of "normal" paths, we accept the request right-away,
minimizing the performance impact.

In other words, the Core rules are a good starting point, but there is no
"one size fits all" approach. If you apply all the rules to all your
requests you will pay a performance penalty, and parts of your site will
not work, because of false-positives. So you have to spend some time
analyzing what to filter and how.

On Mon, Oct 20, 2014 at 10:16 AM, Hoang Hai Nam <na...@gm...> wrote:

> Hi Carlos,
> How many rules you applied for your system? I intend to use the whole the
> "Core rule set", It has a lot of rules, than if I use it each user's
> request will be inspect by hundreds of rules.
> Meanwhile reverse proxy ModSecurity becomes the bottleneck of the whole
> system.
>
> On Mon, Oct 20, 2014 at 2:40 PM, Carlos Vidal <ca...@ta...> wrote:
>
>> I'm using nginx+modsec with a webmail system (Zimbra) hosting 25K users
>> and it works pretty well. Performance depends of course on the number of
>> rules you apply and in which phases. You can define hundreds of rules but
>> have only a few that are used in the most common requests. If performance
>> is paramount for your site, you will need to spend some time analyzing
>> modsec logs to find which rules give you the highest "protection/load"
>> ratio.
>>
>> On Mon, Oct 20, 2014 at 6:27 AM, Hoang Hai Nam <na...@gm...> wrote:
>>
>>> Hi everyone,
>>> I'm planning to use ModSecurity for Nginx (reverse proxy form) to
>>> protect the multipe my company's website, but I confused for Development
>>> Status: BETA, and I do not know that ModSecurity for Nginx has stable
>>> performance with Core Rule Set or not?
>>>
>>> Nginx has a very good performance when used as a reverse proxy, so I want
>>> to ask for advices on the using Nginx with ModSecurity
>>>
>>> Looking forward to reply, Thanks all very much.
>>>
>>> --
>>> Best regards,
>>>
>>> -----------------------------------------------------------------------------
>>> *Hoang Hai Nam, senior*
>>> Department of Software Engineering
>>> School of Information and Communication Technology (SoICT,
>>> http://www.soict.hut.edu.vn)
>>> Hanoi University of Science and Technology (HUST, http://www.hut.edu.vn)
>>> C1 Building - No 1, Dai Co Viet Street, Ha Noi, Vietnam
>>> Yahoo: soap412
>>> Mobile: +84 (0)9.13.09.66.46
>>> Facebook: https://www.facebook.com/nam.hoanghai
>>> E-mail: na...@gm...
>>>            nam...@ho...
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Comprehensive Server Monitoring with Site24x7.
>>> Monitor 10 servers for $9/Month.
>>> Get alerted through email, SMS, voice calls or mobile push notifications.
>>> Take corrective actions from your mobile device.
>>> http://p.sf.net/sfu/Zoho
>>> _______________________________________________
>>> mod-security-developers mailing list
>>> mod...@li...
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>>> ModSecurity Services from Trustwave's SpiderLabs:
>>> https://www.trustwave.com/spiderLabs.php
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push notifications.
>> Take corrective actions from your mobile device.
>> http://p.sf.net/sfu/Zoho
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>
>
> --
> Best regards,
>
> -----------------------------------------------------------------------------
> *Hoang Hai Nam, senior*
> Department of Software Engineering
> School of Information and Communication Technology (SoICT,
> http://www.soict.hut.edu.vn)
> Hanoi University of Science and Technology (HUST, http://www.hut.edu.vn)
> C1 Building - No 1, Dai Co Viet Street, Ha Noi, Vietnam
> Yahoo: soap412
> Mobile: +84 (0)9.13.09.66.46
> Facebook: https://www.facebook.com/nam.hoanghai
> E-mail: na...@gm...
>            nam...@ho...
>
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://p.sf.net/sfu/Zoho
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

Re: [Mod-security-developers] ModSecurity extension for Nginx

[Hoang H. N. <na...@gm...>]

Hi Carlos,
How many rules you applied for your system? I intend to use the whole the
"Core rule set", It has a lot of rules, than if I use it each user's request
will be inspect by hundreds of rules.
Meanwhile reverse proxy ModSecurity becomes the bottleneck of the whole
system.

On Mon, Oct 20, 2014 at 2:40 PM, Carlos Vidal <ca...@ta...> wrote:

> I'm using nginx+modsec with a webmail system (Zimbra) hosting 25K users
> and it works pretty well. Performance depends of course on the number of
> rules you apply and in which phases. You can define hundreds of rules but
> have only a few that are used in the most common requests. If performance
> is paramount for your site, you will need to spend some time analyzing
> modsec logs to find which rules give you the highest "protection/load"
> ratio.
>
> On Mon, Oct 20, 2014 at 6:27 AM, Hoang Hai Nam <na...@gm...> wrote:
>
>> Hi everyone,
>> I'm planning to use ModSecurity for Nginx (reverse proxy form) to protect the
>> multipe my company's website, but I confused for Development Status: BETA
>> , and I do not know that ModSecurity for Nginx has stable performance
>> with Core Rule Set or not?
>>
>> Nginx has a very good performance when used as a reverse proxy, so I want
>> to ask for advices on the using Nginx with ModSecurity
>>
>> Looking forward to reply, Thanks all very much.
>>
>> --
>> Best regards,
>>
>> -----------------------------------------------------------------------------
>> *Hoang Hai Nam, senior*
>> Department of Software Engineering
>> School of Information and Communication Technology (SoICT,
>> http://www.soict.hut.edu.vn)
>> Hanoi University of Science and Technology (HUST, http://www.hut.edu.vn)
>> C1 Building - No 1, Dai Co Viet Street, Ha Noi, Vietnam
>> Yahoo: soap412
>> Mobile: +84 (0)9.13.09.66.46
>> Facebook: https://www.facebook.com/nam.hoanghai
>> E-mail: na...@gm...
>>            nam...@ho...
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push notifications.
>> Take corrective actions from your mobile device.
>> http://p.sf.net/sfu/Zoho
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://p.sf.net/sfu/Zoho
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>



-- 
Best regards,
-----------------------------------------------------------------------------
*Hoang Hai Nam, senior*
Department of Software Engineering
School of Information and Communication Technology (SoICT,
http://www.soict.hut.edu.vn)
Hanoi University of Science and Technology (HUST, http://www.hut.edu.vn)
C1 Building - No 1, Dai Co Viet Street, Ha Noi, Vietnam
Yahoo: soap412
Mobile: +84 (0)9.13.09.66.46
Facebook: https://www.facebook.com/nam.hoanghai
E-mail: na...@gm...
           nam...@ho...

Re: [Mod-security-developers] ModSecurity extension for Nginx

[Carlos V. <ca...@ta...>]

I'm using nginx+modsec with a webmail system (Zimbra) hosting 25K users and
it works pretty well. Performance depends of course on the number of rules
you apply and in which phases. You can define hundreds of rules but have
only a few that are used in the most common requests. If performance is
paramount for your site, you will need to spend some time analyzing modsec
logs to find which rules give you the highest "protection/load" ratio.

On Mon, Oct 20, 2014 at 6:27 AM, Hoang Hai Nam <na...@gm...> wrote:

> Hi everyone,
> I'm planning to use ModSecurity for Nginx (reverse proxy form) to protect the
> multipe my company's website, but I confused for Development Status: BETA,
> and I do not know that ModSecurity for Nginx has stable performance with
> Core Rule Set or not?
>
> Nginx has a very good performance when used as a reverse proxy, so I want
> to ask for advices on the using Nginx with ModSecurity
>
> Looking forward to reply, Thanks all very much.
>
> --
> Best regards,
>
> -----------------------------------------------------------------------------
> *Hoang Hai Nam, senior*
> Department of Software Engineering
> School of Information and Communication Technology (SoICT,
> http://www.soict.hut.edu.vn)
> Hanoi University of Science and Technology (HUST, http://www.hut.edu.vn)
> C1 Building - No 1, Dai Co Viet Street, Ha Noi, Vietnam
> Yahoo: soap412
> Mobile: +84 (0)9.13.09.66.46
> Facebook: https://www.facebook.com/nam.hoanghai
> E-mail: na...@gm...
>            nam...@ho...
>
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://p.sf.net/sfu/Zoho
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

[Mod-security-developers] ModSecurity extension for Nginx

[Hoang H. N. <na...@gm...>]

Hi everyone,
I'm planning to use ModSecurity for Nginx (reverse proxy form) to protect the
multipe my company's website, but I confused for Development Status: BETA,
and I do not know that ModSecurity for Nginx has stable performance with
Core Rule Set or not?

Nginx has a very good performance when used as a reverse proxy, so I want to
ask for advices on the using Nginx with ModSecurity

Looking forward to reply, Thanks all very much.

-- 
Best regards,
-----------------------------------------------------------------------------
*Hoang Hai Nam, senior*
Department of Software Engineering
School of Information and Communication Technology (SoICT,
http://www.soict.hut.edu.vn)
Hanoi University of Science and Technology (HUST, http://www.hut.edu.vn)
C1 Building - No 1, Dai Co Viet Street, Ha Noi, Vietnam
Yahoo: soap412
Mobile: +84 (0)9.13.09.66.46
Facebook: https://www.facebook.com/nam.hoanghai
E-mail: na...@gm...
           nam...@ho...

Re: [Mod-security-developers] [mod-security-users] ModSecurity 2.8.0 still running while "enabled=false" in IIS

[Felipe C. <FC...@tr...>]

Hi Brian,

In fact, I don't see a problem to have the overrideModeDefault Allow, can
you open a bug on our issues tracking so we can keep track of it and
involves other IIS users?
- https://github.com/SpiderLabs/ModSecurity/issues


Regarding the enabled="false", by looking at the code it seems that
ModSecurity is checking for it, As you can see here:

While ModSecurity is initialized:
 -
https://github.com/SpiderLabs/ModSecurity/blob/master/iis/moduleconfig.cpp#
L67-L77

While a new incoming request arrives:
 -
https://github.com/SpiderLabs/ModSecurity/blob/master/iis/mymodule.cpp#L738
-L741

When you mentioned that DebugLogs are still filled you meant partially
content? or the logs looks exactly the same as it is when ModSecurity is
enabled?



Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>






On 10/10/14 6:05 PM, "Brian Clark" <bc...@re...> wrote:

>I have a few more bits of information here but still have not solved the
>problem of ModSecurity operating while “enabled=false” is in effect.
>
>1) The ModSecurity msi installer adds a line to the applicationHost.config
>file that looks like this:
>       <section name="ModSecurity" overrideModeDefault=“Deny"
>allowDefinition="Everywhere" /></sectionGroup>
>
>And this:
>       <ModSecurity enabled=“true" configFile="D:\Program Files\ModSecurity
>IIS\modsecurity_iis.conf" />
>
>The effect of these two lines is that ModSecurity is enabled server-wide
>and no individual web application has the ability to disable it. I
>consider this a bug. At the very least, the default setting for
>overrideMOdeDefault should be “Allow” to allow individual web applications
>the ability to turn on/off ModSecurity. Also, I question whether having
>ModSecurity enabled by default on all websites is the right default
>configuration choice for the installer.
>
>
>2) Even with changing the two applicationHost.config lines to “Allow” and
>“false”, respectively, and with adding a ModSecurity enabled=“false” line
>to the web applications web.config file, ModSecurity continues to log
>traffic to its debug log, with the engine in detect-only mode.
>
>I am not sure why it would do this. I consider this a bug as well.
>
>Anyone have any suggestions? Are others having similar issues?
>
>Brian Clark | VP, IT Operations
>
>
>
>On 10/10/14, 10:40 AM, "Brian Clark" <bc...@re...> wrote:
>
>>Hello,
>>
>>I am trying to get modsecurity 2.8.0 working in IIS on Windows 2012. In
>>experimenting with it, I have found that even with the enabled=false flag
>>set, mod security is still active‹I see it logging information to its
>>debug.log at log level 3.
>>
>>Here is my ModSecurity directive in my web.config:
>>   <ModSecurity enabled="false" configFile="D:\Program Files\ModSecurity
>>IIS\modsecurity_iis.conf" />
>>I have this item placed as the very last line in the system.webServer
>>block, right before </system.webServer>
>>
>>Obviously, it isn¹t supposed to work this way. Is anyone else having the
>>same problem? Any suggestions on how to make it work properly?
>>
>>Thanks,
>>
>>Brian Clark | VP, IT Operations
>>
>
>--------------------------------------------------------------------------
>----
>Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
>Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
>Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
>Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>http://scanmail.trustwave.com/?c=4062&d=qdO41DLQl7_Y5nEVBhyUa9FiW7L9hDn6DR
>825SlfBw&s=5&u=http%3a%2f%2fp%2esf%2enet%2fsfu%2fZoho
>_______________________________________________
>mod-security-users mailing list
>mod...@li...
>http://scanmail.trustwave.com/?c=4062&d=qdO41DLQl7_Y5nEVBhyUa9FiW7L9hDn6DU
>pntX8KCA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%
>2fmod-security-users
>Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>http://scanmail.trustwave.com/?c=4062&d=qdO41DLQl7_Y5nEVBhyUa9FiW7L9hDn6DR
>g14SZeDA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercia
>l%2frules%2f
>http://scanmail.trustwave.com/?c=4062&d=qdO41DLQl7_Y5nEVBhyUa9FiW7L9hDn6DR
>kxsyoKWQ&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercia
>l%2fsupport%2f


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] mod_security mis-uses apr_allocator_create

[Felipe C. <FC...@tr...>]

Hi Stefan,

Thanks for the report. It seems that it is part of the code that needed to
be reviewed.

I have opened a issue to track this on GitHub, here goes the link:
https://github.com/SpiderLabs/ModSecurity/issues/768



Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>





On 8/15/14 4:03 PM, "Stefan Fritsch" <sf...@sf...> wrote:

>Hi,
>
>mod_security creates a new apr_allocator for every request which is then
>destroyed again after the request finishes. This seems to cause bad
>performance when used with a threaded mpms and apr's
>--enable-allocator-uses-mmap because it causes lots of mmap() and
>munmap()s for each request. The allocator-uses-mmap option has been in
>use
>by Debian/Ubuntu's apr packages for over three years. More information is
>available at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758068
>
>Why does mod_security do this? Why does it create its own per-request
>pool
>msr->mp at all? It does not seem to clear or destroy it before the end of
>request and so there does not seem to be any advantage over using r->pool
>directly.
>
>Cheers,
>Stefan
>
>--------------------------------------------------------------------------
>----
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] phpcurl not working inside a apache SecChrootDir mod_security environment

[Derek & V. <the...@gm...>]

File is located inside the /opt/chroot/usr/share/php dir & even hard 
coded the path to the file in effort to sort this out.
Will have to see about enabling mod_security logs to see if I can get 
mod security to tell me what its doing.

On 08/15/2014 11:56 PM, Felipe Costa wrote:
> Hi Derek,
>
> Make sure you have the file that you want to access inside the chroot 
> directory and your application is looking in the correct path.
>
> More information about SecChrootDir is available here:
> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecChrootDir
>
>
> Br.,
>
> *Felipe "Zimmerle" Costa*
>
> Security Researcher, SpiderLabs
>
> *Trustwave* | SMART SECURITY ON DEMAND
>
> www.trustwave.com <http://www.trustwave.com/>
>
>
>
> From: Derek Werthmuller <the...@gm... 
> <mailto:the...@gm...>>
> Reply-To: "mod...@li... 
> <mailto:mod...@li...>" 
> <mod...@li... 
> <mailto:mod...@li...>>
> Date: Friday, August 15, 2014 6:03 PM
> To: "mod-security-d." <mod...@li... 
> <mailto:mod...@li...>>
> Subject: [Mod-security-developers] phpcurl not working inside a apache 
> SecChrootDir mod_security environment
>
> I use mod_security to add a layer of security for my web servers.  All 
> servers are configured with at least SecChrootDir, production edge 
> servers make use of the OWASP rule sets.
>
> We are developing new applications with Google api for php and running 
> into problems with this library running under our development servers 
> that only make use of the SecChrootDir function of mod_security.  Even 
> have SecRuleEngine Off to see if that makes a difference.
>
> The particular part of the Google api library that we can't get to 
> work when mod_security SecChrootDir is enabled is the certificate 
> verification process.  During this process the php process needs to 
> open a certificate file that is located outside the webroot.  We get a 
> vague access denied and or file not found error for the cert file. 
>  The permissions are set of the cert file (a public cert chain file) 
> so that any user on the system can read and execute the file.  The 
> function php is using the curl to access the file.
> We have verified the SElinux is not restricting access to the file, 
> php safe_mode, or PHP open_basedir.
> Two solutions could be to:
> I suspect that I could put the public cert file in a web accessible 
> location but then I'd need to modify the google api code,
> Or  link from a webroot location to the true location but prefer not 
> to enable links for the webserver
> The version of Mod security is mod_security-2.7.3-3 apache 2.2
> Any thoughts advice? Configuration changes?
> Thanks
>    Derek
>
> ------------------------------------------------------------------------
>
> This transmission may contain information that is privileged, 
> confidential, and/or exempt from disclosure under applicable law. If 
> you are not the intended recipient, you are hereby notified that any 
> disclosure, copying, distribution, or use of the information contained 
> herein (including any reliance thereon) is strictly prohibited. If you 
> received this transmission in error, please immediately contact the 
> sender and destroy the material in its entirety, whether in electronic 
> or hard copy format.
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

Re: [Mod-security-developers] phpcurl not working inside a apache SecChrootDir mod_security environment

[Felipe C. <FC...@tr...>]

Hi Derek,

Make sure you have the file that you want to access inside the chroot directory and your application is looking in the correct path.

More information about SecChrootDir is available here:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecChrootDir


Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>


From: Derek Werthmuller <the...@gm...<mailto:the...@gm...>>
Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Date: Friday, August 15, 2014 6:03 PM
To: "mod-security-d." <mod...@li...<mailto:mod...@li...>>
Subject: [Mod-security-developers] phpcurl not working inside a apache SecChrootDir mod_security environment

I use mod_security to add a layer of security for my web servers.  All servers are configured with at least SecChrootDir, production edge servers make use of the OWASP rule sets.

We are developing new applications with Google api for php and running into problems with this library running under our development servers that only make use of the SecChrootDir function of mod_security.  Even have SecRuleEngine Off to see if that makes a difference.

The particular part of the Google api library that we can't get to work when mod_security SecChrootDir is enabled is the certificate verification process.  During this process the php process needs to open a certificate file that is located outside the webroot.  We get a vague access denied and or file not found error for the cert file.  The permissions are set of the cert file (a public cert chain file) so that any user on the system can read and execute the file.  The function php is using the curl to access the file.
We have verified the SElinux is not restricting access to the file, php safe_mode, or PHP open_basedir.
Two solutions could be to:
I suspect that I could put the public cert file in a web accessible location but then I'd need to modify the google api code,
Or  link from a webroot location to the true location but prefer not to enable links for the webserver
The version of Mod security is mod_security-2.7.3-3 apache 2.2
Any thoughts advice? Configuration changes?
Thanks
   Derek

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] phpcurl not working inside a apache SecChrootDir mod_security environment

[Derek W. <the...@gm...>]

I use mod_security to add a layer of security for my web servers.  All
servers are configured with at least SecChrootDir, production edge servers
make use of the OWASP rule sets.

We are developing new applications with Google api for php and running into
problems with this library running under our development servers that only
make use of the SecChrootDir function of mod_security.  Even
have SecRuleEngine Off to see if that makes a difference.

The particular part of the Google api library that we can't get to work
when mod_security SecChrootDir is enabled is the certificate verification
process.  During this process the php process needs to open a certificate
file that is located outside the webroot.  We get a vague access denied and
or file not found error for the cert file.  The permissions are set of the
cert file (a public cert chain file) so that any user on the system can
read and execute the file.  The function php is using the curl to access
the file.
We have verified the SElinux is not restricting access to the file, php
safe_mode, or PHP open_basedir.
Two solutions could be to:
I suspect that I could put the public cert file in a web accessible
location but then I'd need to modify the google api code,
Or  link from a webroot location to the true location but prefer not to
enable links for the webserver
The version of Mod security is mod_security-2.7.3-3 apache 2.2
Any thoughts advice? Configuration changes?
Thanks
   Derek

[Mod-security-developers] mod_security mis-uses apr_allocator_create

[Stefan F. <sf...@sf...>]

Hi,

mod_security creates a new apr_allocator for every request which is then 
destroyed again after the request finishes. This seems to cause bad 
performance when used with a threaded mpms and apr's 
--enable-allocator-uses-mmap because it causes lots of mmap() and 
munmap()s for each request. The allocator-uses-mmap option has been in use 
by Debian/Ubuntu's apr packages for over three years. More information is 
available at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758068

Why does mod_security do this? Why does it create its own per-request pool 
msr->mp at all? It does not seem to clear or destroy it before the end of 
request and so there does not seem to be any advantage over using r->pool 
directly.

Cheers,
Stefan

[Mod-security-developers] 回复： help me!pls

[蕴涵 <252...@qq...>]

hi Costa：
       I have a rough read apr memory pool source code,I have know modsecurity how to handle memory management.
       I try to modfied main.cpp(standalone/man.cpp) in my Multi thread program that is similar to  apache's fuction！‍
       but my program have serious memory leak, I'm sure use apr_pool_destroy(r->connection->pool) function when            per session need free!
       I have one question.does modsecurity  support multi thread?
 
       br.,
       jarwin
      
------------------ 原始邮件 ------------------
发件人: "Felipe Costa";<FC...@tr...>;
发送时间: 2014年7月8日(星期二) 上午7:18
收件人: "mod...@li..."<mod...@li...>; 

主题: Re: [Mod-security-developers] help me!pls



 Hi Jarwin,
 
 
 ModSecurity uses this Apr Memory Pool to handle the memory management, for further information:
  - http://en.wikipedia.org/wiki/Apache_Portable_Runtime
  - http://www.apachetutor.org/dev/pools
 
 
 
 
 Br.,
   Felipe "Zimmerle" Costa
  Security Researcher, SpiderLabs
 
 
  Trustwave | SMART SECURITY ON DEMAND
  www.trustwave.com
 
 
 
 
 
   From: 蕴涵 <252...@qq...>
 Reply-To: "mod...@li..." <mod...@li...>
 Date: Tuesday, July 1, 2014 12:47 PM
 To: mod-security-developers <mod...@li...>
 Subject: [Mod-security-developers] help me!pls
 
 
 
   hi:
      I ran into a problem when read modsecurity-2.7.7 source code，when http request came，modsecurity will executive function(create_tx_context()),In this fuction call 
 apr_allocator_create(&allocator)，but I cann't find any apr_allocator_free() fuction or apr_allocator_destroy() function to release allocator memory，The program  will not cause memory leaks?  if not，when does modsecurity  release memory? I  can not sleep wellbecause of this puzzle problem！pls reply me！！
 
 
 Thanks
                                 jarwin
 
 
 
 
 
 This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information  contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] Multipart boundary characters

[Carlos V. <ca...@ta...>]

I've been testing ModSec with a webmail system (Zimbra) and found that the
rules to validate a multipart boundary are too strict.

The function multipart_boundary_characters_valid()
(apache2/msc_multipart.c) excludes the following characters that are legal
indeed:

    (  )  , :  / ?  =

Probably this comes from the fact that Apache does not use them (see
MULTIPART_CHARS in
http://hc.apache.org/httpcomponents-client-ga/httpmime/xref/org/apache/http/entity/mime/MultipartEntity.html
), but it doesn't mean they are illegal according to RFC 2046
<http://ftp.isi.edu/in-notes/rfc2046.txt>, section 5.1.1.

It would be nice to have these characters in a SecSomething directive, so
that it is easy to modify.

Re: [Mod-security-developers] ModSec + NGINX bug in move_brigade_to_chain

[Carlos V. <ca...@ta...>]

Hi Felipe:

I have been testing the nginx_refactoring and it works pretty fine for me.
I'm using it in front of Zimbra with nginx-1.2.0. I will test it in
production this weekend with 20000 accounts, to see what comes out in the
audit log.

It already blocked several attacks on the development server (php injection
stuff).




On Tue, Jul 8, 2014 at 11:39 PM, Carlos Vidal <ca...@ta...> wrote:

> Great! Sorry for the noise, I thought the merge was done already for 2.8.0.
>
>
> On Tue, Jul 8, 2014 at 7:57 PM, Felipe Costa <FC...@tr...> wrote:
>
>>  Hi Carlos,
>>
>>  In the same issue that you have linked, there is a comment pointing to
>> the "nginx_refactoring" branch where you can find this fix and others.
>> The branch still in development/test as more minor issues should be fixed
>> before merge it to our mainline.
>>
>>  Br.,
>>   *Felipe "Zimmerle" Costa*
>>  Security Researcher, SpiderLabs
>>
>>  *Trustwave* | SMART SECURITY ON DEMAND
>>  www.trustwave.com
>>
>>
>>
>>   From: Carlos Vidal <ca...@ta...>
>> Reply-To: "mod...@li..." <
>> mod...@li...>
>> Date: Tuesday, July 8, 2014 2:20 PM
>> To: "mod...@li..." <
>> mod...@li...>
>> Subject: [Mod-security-developers] ModSec + NGINX bug in
>> move_brigade_to_chain
>>
>>      Hi:
>>
>>  I'm testing ModSec 2.7.5 and 2.8.0 with NGINX and find a problem when
>> SecResponseBodyAccess is turned on.
>>
>>  The error is produced by a dangling pointer in move_brigade_to_chain()
>> (apr_bucket_nginx.c). It has already been reported in March (
>> https://github.com/SpiderLabs/ModSecurity/issues/681).
>>
>>  There are two ngx_alloc_chain_link() in the function, the second is
>> correct, but the first one does not initialize 'cl->next' before copying it
>> to the last link (ll). It is enough to add :
>>
>>     cl->next = NULL;
>>
>>  just after cl->buf->last_buf = 1.
>>
>>  This causes crazy behavior as infinite allocation loops and seg-faults.
>>
>>
>> ------------------------------
>>
>> This transmission may contain information that is privileged,
>> confidential, and/or exempt from disclosure under applicable law. If you
>> are not the intended recipient, you are hereby notified that any
>> disclosure, copying, distribution, or use of the information contained
>> herein (including any reliance thereon) is strictly prohibited. If you
>> received this transmission in error, please immediately contact the sender
>> and destroy the material in its entirety, whether in electronic or hard
>> copy format.
>>
>>
>> ------------------------------------------------------------------------------
>> Open source business process management suite built on Java and Eclipse
>> Turn processes into business applications with Bonita BPM Community
>> Edition
>> Quickly connect people, data, and systems into organized workflows
>> Winner of BOSSIE, CODIE, OW2 and Gartner awards
>> http://p.sf.net/sfu/Bonitasoft
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>

[Mod-security-developers] Modsecurity reading response headers from r->headers_out.headers.part instead of r->headers_out

[Rv Rv <rvr...@ya...>]

In the response body processing code flow, when the ngx_http_modsecurity_load_headers_out function from modsecurity_body_fitler, modsecurity builds the header from the data member
r->headers_out.headers.part. This will include headers that nginx knows e.g. Content-Encoding, Content-Length.
These headers are also recorded in r->headers_out.content_encoding and similar for content_length and content_type. 
Any body filter that is executed before modsecurity may modify the r->headers_out.content_encoding header but NOT r->headers_out.headers.part .eg. if gunzip filter is executed before modsecurity.

This will mean that modsecurity will read the header as they were in the response and NOT as they have been modified(assuming other body filter executed prior to it) just before modsecurity was invoked.

Does the reading of headers_out.headers_part of headers that can potentially be modified by other body filters intentional?

Re: [Mod-security-developers] ModSec + NGINX bug in move_brigade_to_chain

[Carlos V. <ca...@ta...>]

Great! Sorry for the noise, I thought the merge was done already for 2.8.0.


On Tue, Jul 8, 2014 at 7:57 PM, Felipe Costa <FC...@tr...> wrote:

>  Hi Carlos,
>
>  In the same issue that you have linked, there is a comment pointing to
> the "nginx_refactoring" branch where you can find this fix and others.
> The branch still in development/test as more minor issues should be fixed
> before merge it to our mainline.
>
>  Br.,
>   *Felipe "Zimmerle" Costa*
>  Security Researcher, SpiderLabs
>
>  *Trustwave* | SMART SECURITY ON DEMAND
>  www.trustwave.com
>
>
>
>   From: Carlos Vidal <ca...@ta...>
> Reply-To: "mod...@li..." <
> mod...@li...>
> Date: Tuesday, July 8, 2014 2:20 PM
> To: "mod...@li..." <
> mod...@li...>
> Subject: [Mod-security-developers] ModSec + NGINX bug in
> move_brigade_to_chain
>
>      Hi:
>
>  I'm testing ModSec 2.7.5 and 2.8.0 with NGINX and find a problem when
> SecResponseBodyAccess is turned on.
>
>  The error is produced by a dangling pointer in move_brigade_to_chain()
> (apr_bucket_nginx.c). It has already been reported in March (
> https://github.com/SpiderLabs/ModSecurity/issues/681).
>
>  There are two ngx_alloc_chain_link() in the function, the second is
> correct, but the first one does not initialize 'cl->next' before copying it
> to the last link (ll). It is enough to add :
>
>     cl->next = NULL;
>
>  just after cl->buf->last_buf = 1.
>
>  This causes crazy behavior as infinite allocation loops and seg-faults.
>
>
> ------------------------------
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>