mod-security-developers — Development discussion about mod_security

Re: [Mod-security-developers] ModSecurity and Webshpere

[Eric A. <eri...@rr...>]

Hello:
Can anyone tell me if ModSecurity for Java can run in a stock WebSphere
Application Server environment?  I don't need to know about building the
project for now.  If anyone has used ModSecurity in a stock WebSphere
Application Server environment, was there anything special that needed to
be done in order to get it to work?

Thanks,
-E


On Wed, Jan 29, 2014 at 3:43 PM, Eric Anderson <eri...@rr...>wrote:

> Hello:
> Can ModSecurity for Java run in a stock WebSphere environment?  If so, Is
> there any information on how to build the project in a Windows environment?
>
> Thanks
> -E
>

[Mod-security-developers] ModSecurity and Webshpere

[Eric A. <eri...@rr...>]

Hello:
Can ModSecurity for Java run in a stock WebSphere environment?  If so, Is
there any information on how to build the project in a Windows environment?

Thanks
-E

[Mod-security-developers] ModSecurity usage status

[Felipe C. <FC...@tr...>]

Hi there,

Ryan and I have been busy for a while trying to figure out a way to get some statistics on ModSecurity usage, to allow us to have a better bug prioritization, and understand how frequently our users are updating ModSecurity, etc…

We've made a blog post yesterday, which introduces the idea and code, it is available at:

http://blog.spiderlabs.com/2014/01/introducing-modsecurity-status-reporting.html

As said in the blog post, the code is not merged yet, it still in a separated branch. Your opinion and suggestion are very important, so please test and comment, suggestions and feedback are very welcomed.

Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>



________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] ModSecurity Release 2.7.7

[Felipe C. <FC...@tr...>]

Hi,

ModSecurity Release 2.7.7 is ready. It contains small fixes to allow an easy integration to packaging generation and build automation. Tarball were renamed to fit the same structure of older releases and configure scripts were placed back as part of the Tarball. For further information on the changes check the release notes<https://github.com/SpiderLabs/ModSecurity/releases>. For issues, please check the Issues on GitHub<https://github.com/SpiderLabs/ModSecurity/issues?direction=desc&sort=created&state=open>.

Archives also available at:

  *   Apache/Nginx:
     *   https://www.modsecurity.org/tarball/2.7.7/modsecurity-apache_2.7.7.tar.gz
     *   https://www.modsecurity.org/tarball/2.7.7/modsecurity-apache_2.7.7.tar.gz.sha256
  *   IIS
     *   https://www.modsecurity.org/tarball/2.7.7/modsecurity-apache_2.7.7-32b.msi
     *   https://www.modsecurity.org/tarball/2.7.7/modsecurity-apache_2.7.7-32b.msi.sha256
     *   https://www.modsecurity.org/tarball/2.7.7/modsecurity-apache_2.7.7-64b.msi
     *   https://www.modsecurity.org/tarball/2.7.7/modsecurity-apache_2.7.7-64b.msi.sha256


Thanks,
Felipe "Zimmerle" Costa
Lead Developer for ModSecurity, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] Preparing for release 2.7.7

[Felipe C. <FC...@tr...>]

Hi,

Due to recent problems that people are facing to generate packages out of 2.7.6 we are working on 2.7.7.
If you find out any other issue that was not reported yet, please report on Github: https://github.com/SpiderLabs/ModSecurity/issues


Thanks,
Felipe "Zimmerle" Costa
Lead Developer for ModSecurity, SpiderLabs
m: +55 81 8706.5547

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] ModSecurity release 2.7.6

[Felipe C. <FC...@tr...>]

Hi,

We are pleased to announce ModSecurity release 2.7.6. Besides the bug fixes this release also includes modification on the build system that counts on QA mechanisms such as coding style checker and static analysis. All ports and all platforms had some changes that may reduce the possibility of errors while trying to compile the project. Regression tests and unit tests are now more independent of platform or utilities versions. There is a new installer for MS Windows. Libinjection was updated. For further information on the changes, please check the release notes. For more information about the fixed bugs or to report a new one, have a look at our Issues on GitHub.<https://github.com/SpiderLabs/ModSecurity/issues>

It is also a pleasure to announce that we now have a Buildbot to help us to control the quality of our code/releases. For each build, the Buildbots are building the code,  checking coding style and doing a static analysis. Unit tests and regression tests are also performed. Compilation warnings are been monitored on our different ports/platforms. To follow up our builds, have a visit at: http://www.modsecurity.org/developers/buildbot

All releases that were archived as Branches on our git are now archived as Tags, not appearing on the Branch list anymore, but still available under Tags. New features now will be placed under specific branches, for continuous testing until the stability is ensured and then merge at branch master to be released.

Thanks,
Felipe "Zimmerle" Costa
Lead Developer for ModSecurity, SpiderLabs
m: +55 81 8706.5547

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] Reverse proxy, SecRequestBodyAccess, segmentation fault

[Ewald D. <ewa...@t-...>]

On 11/27/2013 04:18 PM, Ewald Dieterich wrote:
> With Apache 2.4.6 and mpm_worker configured as a reverse proxy I get
> segmentation faults when I enable modsecurity 2.7.5 with
> "SecRequestBodyAccess On" and then send large amounts of POST requests
> to a misconfigured backend server that just drops the requests.

This is not an error in modsecurity but in mod_proxy.

After asking on the Apache developer mailing list for help I applied the 
following patches to mod_proxy_http.c and get no more segmentation faults:

http://svn.apache.org/viewvc?view=revision&revision=1534321
http://svn.apache.org/viewvc?view=revision&revision=1550061

See also:

https://issues.apache.org/bugzilla/show_bug.cgi?id=50335

Re: [Mod-security-developers] Various fixes

[Felipe C. <FC...@tr...>]

Hi Jiri,


Thank you for the contribution! Do you mind to send it via github? for better control of the patches that we receive?


Br.,
F.

On Dec 9, 2013, at 10:21 AM, Jiri Kukacka <jir...@or...>
 wrote:

> Hello,
>
> I have some patches you could use:
>
> 02-test.patch : Allows to run test suite when it's configured and build outside of source directory. This could be useful on some compilation cases.
>
> 03-parfait_errors_fix.patch : This patch contains various fixes for Parfait code analysis errors, such as unhandled null pointer dereference and data size/type mismatch.
>
> 04-parfait_errors_fix_annotations.patch : This patch contains Patfait annotations, as there are some false-positives that current version of Parfait reports as errors.
>
> I hope these patches will help improving mod_security.
>
> Sincerely,
>
> Jiri Kukacka
> <02-tests.patch><03-parfait_errors_fix.patch><04-parfait_errors_fix_annotations.patch>------------------------------------------------------------------------------
> Sponsored by Intel(R) XDK
> Develop, test and display web and hybrid apps with a single code base.
> Download it for free now!
> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk_______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] Various fixes

[Jiri K. <jir...@or...>]

Hello,

I have some patches you could use:

02-test.patch : Allows to run test suite when it's configured and build 
outside of source directory. This could be useful on some compilation cases.

03-parfait_errors_fix.patch : This patch contains various fixes for 
Parfait code analysis errors, such as unhandled null pointer dereference 
and data size/type mismatch.

04-parfait_errors_fix_annotations.patch : This patch contains Patfait 
annotations, as there are some false-positives that current version of 
Parfait reports as errors.

I hope these patches will help improving mod_security.

Sincerely,

Jiri Kukacka

Re: [Mod-security-developers] [PATCH] mod_sec trunk patch to build against pcre/libxml2 install on Windows

[Jeff T. <tr...@gm...>]

On Wed, Nov 27, 2013 at 10:35 AM, Alan Silva <ala...@ac...> wrote:

> Hi Jeff
>
> Thanks for your interest, but if you need submit a patch for us, try use
> the pull request feature of our github for approval.
>
>
May I assume that you find it of general interest and it is worth my time
to test it more thoroughly, or do I find that out after I submit the patch
a different way?

Thanks!



> Regards,
>
> Alan
>
>
> On Wed, Nov 27, 2013 at 11:10 AM, Jeff Trawick <tr...@gm...> wrote:
>
>> Let me know if this is of interest to the project and I will test more
>> thoroughly.
>>
>> I would like to be able to build against PCRE and Libxml2 installations,
>> whereas the current Windows build support requires building against their
>> build trees.  Additionally, PCRE renames its .lib/.dll when it is build for
>> debugging, and it would be nice to recognize that and avoid patching.
>>
>> Please see attached patch and let me know how revolted you get :)
>>
>> Additionally, the "-D$(VERSION)" appears to be a vestige of long-ago
>> code.  Should it simply be removed from the makefile?
>>
>> TIA!
>>
>> --
>> Born in Roswell... married an alien...
>> http://emptyhammock.com/
>>
>>
>> ------------------------------------------------------------------------------
>> Rapidly troubleshoot problems before they affect your business. Most IT
>> organizations don't have a clear picture of how application performance
>> affects their revenue. With AppDynamics, you get 100% visibility into your
>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
>> Pro!
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>



-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Re: [Mod-security-developers] [PATCH] mod_sec trunk patch to build against pcre/libxml2 install on Windows

[Alan S. <ala...@ac...>]

Hi Jeff

Thanks for your interest, but if you need submit a patch for us, try use
the pull request feature of our github for approval.

Regards,

Alan


On Wed, Nov 27, 2013 at 11:10 AM, Jeff Trawick <tr...@gm...> wrote:

> Let me know if this is of interest to the project and I will test more
> thoroughly.
>
> I would like to be able to build against PCRE and Libxml2 installations,
> whereas the current Windows build support requires building against their
> build trees.  Additionally, PCRE renames its .lib/.dll when it is build for
> debugging, and it would be nice to recognize that and avoid patching.
>
> Please see attached patch and let me know how revolted you get :)
>
> Additionally, the "-D$(VERSION)" appears to be a vestige of long-ago code.
>  Should it simply be removed from the makefile?
>
> TIA!
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

[Mod-security-developers] Reverse proxy, SecRequestBodyAccess, segmentation fault

[Ewald D. <ewa...@t-...>]

With Apache 2.4.6 and mpm_worker configured as a reverse proxy I get 
segmentation faults when I enable modsecurity 2.7.5 with 
"SecRequestBodyAccess On" and then send large amounts of POST requests 
to a misconfigured backend server that just drops the requests.

This is what I did:

On Debian unstable I installed Apache 2.4.6, enabled multithreading via 
mpm_worker, and configured a simple reverse proxy. I also enabled 
modsecurity 2.7.5 with SecRequestBodyAccess. No rules were enabled.

Here is the configuration for the reverse proxy and modsecurity:

<Location />
     SecRuleEngine On
     SecRequestBodyAccess On

     ProxyPass http://backend:8080/
     ProxyPassReverse http://backend:8080/
</Location>

This is what I run to simulate the request-dropping backend server:

faucet 8080 --out echo ""

If a client sends a request, the reverse proxy sends a "502 Bad Gateway" 
response and logs the following errors:

[...] (104)Connection reset by peer: [client 10.128.128.81:49143] 
AH01102: error reading status line from remote server backend:8080
[...] AH00898: Error reading from remote server returned by /

So everything works as expected.

Now I send POST requests in parallel by starting this loop on multiple 
shells, the more the better (data_file is 22k if that matters):

while true ; do curl -d @data_file http://frontend/ ; done

Every once in a while I get a segmentation fault. These segmentation 
faults happen "anywhere" so I'm not sure if providing a backtrace is of 
any help.

Is this a bug or am I doing something wrong? Thanks for your help!

[Mod-security-developers] [HEADS UP] trunk compile failures on Windows (MSVC) due to mixed decls and statements

[Jeff T. <tr...@gm...>]

diff --git a/apache2/libinjection/libinjection_sqli.c b/apache2/libinjection/libinjection_sqli.c
index 4807398..ccd0582 100644
--- a/apache2/libinjection/libinjection_sqli.c
+++ b/apache2/libinjection/libinjection_sqli.c
@@ -127,11 +127,12 @@ memchr2(const char *haystack, size_t haystack_len, char c0, char c1)
 static const char *
 my_memmem(const char* haystack, size_t hlen, const char* needle, size_t nlen)
 {
+    const char* cur;
+    const char* last;
     assert(haystack);
     assert(needle);
     assert(nlen > 1);
-    const char* cur;
-    const char* last =  haystack + hlen - nlen;
+    last =  haystack + hlen - nlen;
     for (cur = haystack; cur <= last; ++cur) {
         if (cur[0] == needle[0] && memcmp(cur, needle, nlen) == 0) {
             return cur;
@@ -492,6 +493,7 @@ static size_t parse_slash(struct libinjection_sqli_state * sf)
     const char* cur = cs + pos;
     char ctype = TYPE_COMMENT;
     size_t pos1 = pos + 1;
+    const char* ptr;
     if (pos1 == slen || cs[pos1] != '*') {
         return parse_operator1(sf);
     }
@@ -499,7 +501,7 @@ static size_t parse_slash(struct libinjection_sqli_state * sf)
     /*
      * skip over initial '/x'
      */
-    const char* ptr = memchr2(cur + 2, slen - (pos + 2), '*', '/');
+    ptr = memchr2(cur + 2, slen - (pos + 2), '*', '/');
 
     /*
      * (ptr == NULL) causes false positive in cppcheck 1.61
@@ -1286,7 +1288,7 @@ void libinjection_sqli_init(struct libinjection_sqli_state * sf, const char *s,
 
 void libinjection_sqli_reset(struct libinjection_sqli_state * sf, int flags)
 {
-    ptr_lookup_fn lookup = sf->lookup;;
+    ptr_lookup_fn lookup = sf->lookup;
     void *userdata = sf->userdata;
 
     if (flags == 0) {
@@ -1936,6 +1938,7 @@ int libinjection_sqli_blacklist(struct libinjection_sqli_state* sql_state)
     char ch;
     size_t i;
     size_t len = strlen(sql_state->fingerprint);
+    int patmatch;
 
     if (len < 1) {
         sql_state->reason = __LINE__;
@@ -1959,7 +1962,7 @@ int libinjection_sqli_blacklist(struct libinjection_sqli_state* sql_state)
     }
     fp2[i+1] = '\0';
 
-    int patmatch = is_keyword(fp2, len + 1) == TYPE_FINGERPRINT;
+    patmatch = is_keyword(fp2, len + 1) == TYPE_FINGERPRINT;
 
     /*
      * No match.
diff --git a/apache2/re_operators.c b/apache2/re_operators.c
index f9ef225..ef51207 100644
--- a/apache2/re_operators.c
+++ b/apache2/re_operators.c
@@ -165,6 +165,7 @@ static int msre_op_ipmatchFromFile_param_init(msre_rule *rule, char **error_msg)
     char *fn;
     const char *ipfile_path;
     TreeRoot *rtree = NULL;
+    int res;
 
     if ((rule->op_param == NULL) || (strlen(rule->op_param) == 0))
     {
@@ -192,7 +193,7 @@ static int msre_op_ipmatchFromFile_param_init(msre_rule *rule, char **error_msg)
         apr_filepath_merge(&fn, ipfile_path, fn, APR_FILEPATH_TRUENAME, rule->ruleset->mp);
     }
 
-    int res = ip_tree_from_file(&rtree, fn, rule->ruleset->mp, error_msg);
+    res = ip_tree_from_file(&rtree, fn, rule->ruleset->mp, error_msg);
     if (res)
     {
         return 0;

[Mod-security-developers] [PATCH] mod_sec trunk patch to build against pcre/libxml2 install on Windows

[Jeff T. <tr...@gm...>]

diff --git a/apache2/Makefile.win b/apache2/Makefile.win
index 31a83a9..1061279 100644
--- a/apache2/Makefile.win
+++ b/apache2/Makefile.win
@@ -6,12 +6,55 @@
 !ERROR NMAKE arguments: APACHE=dir PCRE=dir LIBXML2=dir are required to build mod_security2 for Windows
 !ENDIF
 
+# Supported PCRE Layouts:
+#   Referencing PCRE build tree:
+#     $(PCRE)/include/pcre*.h and $(PCRE)/pcre.lib
+#   Referencing PCRE install (PCRE's CMAKE_INSTALL_PREFIX):
+#     $(PCRE)/include/pcre*.h and $(PCRE)/lib/pcre.lib
+# Note that pcre.lib will be renamed to pcred.lib when using a debug build.
+
+!IF EXISTS($(PCRE)\pcre.lib)
+PCRELIB = $(PCRE)\pcre.lib
+!ELSE IF EXISTS($(PCRE)\pcred.lib)
+PCRELIB = $(PCRE)\pcred.lib
+!ELSE IF EXISTS($(PCRE)\lib\pcre.lib)
+PCRELIB = $(PCRE)\lib\pcre.lib
+!ELSE IF EXISTS($(PCRE)\lib\pcred.lib)
+PCRELIB = $(PCRE)\lib\pcred.lib
+!ELSE
+!ERROR Neither pcre.lib nor pcred.lib was found relative to $(PCRE)
+!ENDIF
+
+# Supported Libxml2 Layouts:
+#   Referencing Libxml2 build tree:
+#     $(LIBXML2)\include\libxml\*.h
+#     $(LIBXML2)\win32\bin.msvc\libxml2.lib
+#   Referencing Libxml2 install (configure.js prefix=xxx):
+#     $(LIBXML2)\include\libxml2\libxml\*.h
+#     $(LIBXML2)\lib\libxml2.lib
+
+!IF EXISTS($(LIBXML2)\win32\bin.msvc\libxml2.lib)
+LIBXML2LIB = $(LIBXML2)\win32\bin.msvc\libxml2.lib
+!ELSE IF EXISTS($(LIBXML2)\lib\libxml2.lib)
+LIBXML2LIB = $(LIBXML2)\lib\libxml2.lib
+!ELSE
+!ERROR libxml2.lib was not found relative to $(LIBXML2)
+!ENDIF
+
+!IF EXISTS($(LIBXML2)\include\libxml\xpath.h)
+LIBXML2INC = $(LIBXML2)\include
+!ELSE IF EXISTS($(LIBXML2)\include\libxml2\libxml\xpath.h)
+LIBXML2INC = $(LIBXML2)\include\libxml2
+!ELSE
+!ERROR Libxml2 include files were not found relative to $(LIBXML2)
+!ENDIF
+
 # Linking libraries
 LIBS = $(APACHE)\lib\libhttpd.lib \
        $(APACHE)\lib\libapr-1.lib \
        $(APACHE)\lib\libaprutil-1.lib \
-       $(PCRE)\pcre.lib \
-       $(LIBXML2)\win32\bin.msvc\libxml2.lib \
+       $(PCRELIB) \
+       $(LIBXML2LIB) \
        Ws2_32.lib
 
 ###########################################################################
@@ -27,7 +70,7 @@ DLL = mod_security2.so
 
 INCLUDES = -I. -I.. \
            -I$(PCRE)\include -I$(PCRE) \
-           -I$(LIBXML2)\include \
+           -I$(LIBXML2INC) \
            -I$(APACHE)\include
 
 # Lua is optional

Re: [Mod-security-developers] [PATCH] mod_sec 2.7.5 for Apache -- Windows build issue with inet_pton()

[Jeff T. <tr...@gm...>]

On Mon, Nov 25, 2013 at 7:45 PM, Felipe Costa <FC...@tr...> wrote:

>  Hi Jeff,
>
>  Thanks for the patch, our development version is not on the master
> branch,
> but on branch labeled remotes/trunk. On this development branch this issue
> was address by replacing the windows function with a define, although It
> still
> demands runtime tests. Here goes the link to the commit:
>
>
> https://github.com/SpiderLabs/ModSecurity/commit/a3b875a618f2862486fe3a071dff87a9ee2dfe1a
>
>  The build was tested with VS 2011, 2012 (32 and 64b) on Windows 7, 8 and
> 8.1.
> If you are interested in the windows development, have a look on this
> branch.
> Lot of changes related to the windows build process.
>

Thanks a bunch; I'll try it out.


>
>  To download the remotes/trunk branch, try:
>
>  git clone https://github.com/SpiderLabs/ModSecurity.git
> git checkout origin/remotes/trunk -b trunk
>
>  Thanks,
>  F.
>
>
>
>
>
>   On Nov 25, 2013, at 9:10 PM, Jeff Trawick <tr...@gm...> wrote:
>
>  Vista and higher have inet_pton().
>
>  msc_util.h has this trick to void declaring inet_pton() when building
> for Win >= Vista:
>
>  #if !(NTDDI_VERSION >= NTDDI_VISTA)
> int DSOLOCAL inet_pton(int family, const char *src, void *dst);
> #endif
>
>  I understand that this resolved a declaration problem, but with Visual
> Studio 2012 64-bit on Win 2008 R2 I get this link-time error for multiply
> defined symbols:
>
>  CL -MD -I. -I..  -Ifoopath/stage/install\include -Ifoopath/stage/install
>  -Ifoopath/stage/install\include\libxml2  -Ifoopath/stage/install\include
> /nologo /O2 /LD /W3 /wd4244 /wd4018 -DWIN32 -DWINNT -Dinline=APR_INLINE
> -Dfooversion /Zi  -LD mod_security2.obj apache2_config.obj apache2_io.obj
> apache2_util.obj  re.obj re_operators.obj re_actions.obj re_tfns.obj
> re_variables.obj  msc_logging.obj msc_xml.obj msc_multipart.obj
> modsecurity.obj  msc_parsers.obj msc_util.obj msc_pcre.obj persist_dbm.obj
>  msc_reqbody.obj msc_geo.obj msc_gsb.obj msc_crypt.obj msc_tree.obj
> msc_unicode.obj acmp.obj msc_lua.obj  msc_release.obj
> libinjection\libinjection_sqli.obj -Femod_security2.so
> foopath/stage/install\lib\libhttpd.lib
>  foopath/stage/install\lib\libapr-1.lib
>  foopath/stage/install\lib\libaprutil-1.lib
>  foopath/stage/install\lib\pcre.lib  foopath/stage/install\lib\libxml2.lib
>  Ws2_32.lib /link
> Ws2_32.lib(WS2_32.dll) : error LNK2005: inet_pton already defined in
> msc_util.obj
>    Creating library mod_security2.lib and object mod_security2.exp
> mod_security2.so : fatal error LNK1169: one or more multiply defined
> symbols found
>
>  I'm using this patch to hide the implementation in the same manner that
> the prototype is hidden:
>
>  --- mod_security.orig/apache2/msc_util.c        2013-07-27
> 21:58:50.000000000 -0600
> +++ mod_security/apache2/msc_util.c     2013-11-25 16:40:09.599279200 -0700
> @@ -835,7 +835,7 @@
>      return ((char *)haystack);
>  }
>
>  -#ifdef WIN32
> +#if defined(WIN32) && !(NTDDI_VERSION >= NTDDI_VISTA)
>  int inet_pton(int family, const char *src, void *dst)   {
>      struct addrinfo addr;
>      struct sockaddr_in *in = NULL;
>
>  (Only tested with mod_security for Apache building for Vista with VS
> 2012)
>
>  --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
>  ------------------------------------------------------------------------------
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing
> conversations that shape the rapidly evolving mobile landscape. Sign up
> now.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk_______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
>
>
> ------------------------------
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
>
> ------------------------------------------------------------------------------
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing
> conversations that shape the rapidly evolving mobile landscape. Sign up
> now.
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>



-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Re: [Mod-security-developers] [PATCH] mod_sec 2.7.5 for Apache -- Windows build issue with inet_pton()

[Felipe C. <FC...@tr...>]

Hi Jeff,

Thanks for the patch, our development version is not on the master branch,
but on branch labeled remotes/trunk. On this development branch this issue
was address by replacing the windows function with a define, although It still
demands runtime tests. Here goes the link to the commit:

https://github.com/SpiderLabs/ModSecurity/commit/a3b875a618f2862486fe3a071dff87a9ee2dfe1a

The build was tested with VS 2011, 2012 (32 and 64b) on Windows 7, 8 and 8.1.
If you are interested in the windows development, have a look on this branch.
Lot of changes related to the windows build process.

To download the remotes/trunk branch, try:

git clone https://github.com/SpiderLabs/ModSecurity.git
git checkout origin/remotes/trunk -b trunk

Thanks,
F.





On Nov 25, 2013, at 9:10 PM, Jeff Trawick <tr...@gm...<mailto:tr...@gm...>> wrote:

Vista and higher have inet_pton().

msc_util.h has this trick to void declaring inet_pton() when building for Win >= Vista:

#if !(NTDDI_VERSION >= NTDDI_VISTA)
int DSOLOCAL inet_pton(int family, const char *src, void *dst);
#endif

I understand that this resolved a declaration problem, but with Visual Studio 2012 64-bit on Win 2008 R2 I get this link-time error for multiply defined symbols:

CL -MD -I. -I..  -Ifoopath/stage/install\include -Ifoopath/stage/install  -Ifoopath/stage/install\include\libxml2  -Ifoopath/stage/install\include /nologo /O2 /LD /W3 /wd4244 /wd4018 -DWIN32 -DWINNT -Dinline=APR_INLINE -Dfooversion /Zi  -LD mod_security2.obj apache2_config.obj apache2_io.obj apache2_util.obj  re.obj re_operators.obj re_actions.obj re_tfns.obj re_variables.obj  msc_logging.obj msc_xml.obj msc_multipart.obj modsecurity.obj  msc_parsers.obj msc_util.obj msc_pcre.obj persist_dbm.obj  msc_reqbody.obj msc_geo.obj msc_gsb.obj msc_crypt.obj msc_tree.obj msc_unicode.obj acmp.obj msc_lua.obj  msc_release.obj libinjection\libinjection_sqli.obj -Femod_security2.so foopath/stage/install\lib\libhttpd.lib  foopath/stage/install\lib\libapr-1.lib  foopath/stage/install\lib\libaprutil-1.lib  foopath/stage/install\lib\pcre.lib  foopath/stage/install\lib\libxml2.lib  Ws2_32.lib /link
Ws2_32.lib(WS2_32.dll) : error LNK2005: inet_pton already defined in msc_util.obj
   Creating library mod_security2.lib and object mod_security2.exp
mod_security2.so : fatal error LNK1169: one or more multiply defined symbols found

I'm using this patch to hide the implementation in the same manner that the prototype is hidden:

--- mod_security.orig/apache2/msc_util.c        2013-07-27 21:58:50.000000000 -0600
+++ mod_security/apache2/msc_util.c     2013-11-25 16:40:09.599279200 -0700
@@ -835,7 +835,7 @@
     return ((char *)haystack);
 }

-#ifdef WIN32
+#if defined(WIN32) && !(NTDDI_VERSION >= NTDDI_VISTA)
 int inet_pton(int family, const char *src, void *dst)   {
     struct addrinfo addr;
     struct sockaddr_in *in = NULL;

(Only tested with mod_security for Apache building for Vista with VS 2012)

--
Born in Roswell... married an alien...
http://emptyhammock.com/
------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk_______________________________________________
mod-security-developers mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] [PATCH] mod_sec 2.7.5 for Apache -- Windows build issue with inet_pton()

[Jeff T. <tr...@gm...>]

Vista and higher have inet_pton().

msc_util.h has this trick to void declaring inet_pton() when building for
Win >= Vista:

#if !(NTDDI_VERSION >= NTDDI_VISTA)
int DSOLOCAL inet_pton(int family, const char *src, void *dst);
#endif

I understand that this resolved a declaration problem, but with Visual
Studio 2012 64-bit on Win 2008 R2 I get this link-time error for multiply
defined symbols:

CL -MD -I. -I..  -Ifoopath/stage/install\include -Ifoopath/stage/install
 -Ifoopath/stage/install\include\libxml2  -Ifoopath/stage/install\include
/nologo /O2 /LD /W3 /wd4244 /wd4018 -DWIN32 -DWINNT -Dinline=APR_INLINE
-Dfooversion /Zi  -LD mod_security2.obj apache2_config.obj apache2_io.obj
apache2_util.obj  re.obj re_operators.obj re_actions.obj re_tfns.obj
re_variables.obj  msc_logging.obj msc_xml.obj msc_multipart.obj
modsecurity.obj  msc_parsers.obj msc_util.obj msc_pcre.obj persist_dbm.obj
 msc_reqbody.obj msc_geo.obj msc_gsb.obj msc_crypt.obj msc_tree.obj
msc_unicode.obj acmp.obj msc_lua.obj  msc_release.obj
libinjection\libinjection_sqli.obj -Femod_security2.so
foopath/stage/install\lib\libhttpd.lib
 foopath/stage/install\lib\libapr-1.lib
 foopath/stage/install\lib\libaprutil-1.lib
 foopath/stage/install\lib\pcre.lib  foopath/stage/install\lib\libxml2.lib
 Ws2_32.lib /link
Ws2_32.lib(WS2_32.dll) : error LNK2005: inet_pton already defined in
msc_util.obj
   Creating library mod_security2.lib and object mod_security2.exp
mod_security2.so : fatal error LNK1169: one or more multiply defined
symbols found

I'm using this patch to hide the implementation in the same manner that the
prototype is hidden:

--- mod_security.orig/apache2/msc_util.c        2013-07-27
21:58:50.000000000 -0600
+++ mod_security/apache2/msc_util.c     2013-11-25 16:40:09.599279200 -0700
@@ -835,7 +835,7 @@
     return ((char *)haystack);
 }

-#ifdef WIN32
+#if defined(WIN32) && !(NTDDI_VERSION >= NTDDI_VISTA)
 int inet_pton(int family, const char *src, void *dst)   {
     struct addrinfo addr;
     struct sockaddr_in *in = NULL;

(Only tested with mod_security for Apache building for Vista with VS 2012)

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Re: [Mod-security-developers] Attaching to page is very slow.

[Felipe C. <FC...@tr...>]

Hi,

Difficult to say without having details, did you had a chance to enable any rules?
Are you ware of the Core Rule Set (CRS):

http://spiderlabs.github.io/owasp-modsecurity-crs/

The performance is directly related to the rules that you have enabled, you probably
want to measure with those rules, fell free to share the number with us :)

Br.,
F.


On Nov 22, 2013, at 11:14 AM, ghost 123456 <oy...@gm...<mailto:oy...@gm...>>
 wrote:

Hello, I've just installed ModSecurity-apache-2.7.5 from source code.

After finished configuring and starting apache, I've called my page running on apache.

But, the calling speed is too slow.

What's the problem?
------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk_______________________________________________
mod-security-developers mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] Attaching to page is very slow.

[ghost 1. <oy...@gm...>]

Hello, I've just installed ModSecurity-apache-2.7.5 from source code.

After finished configuring and starting apache, I've called my page running
on apache.

But, the calling speed is too slow.

What's the problem?

[Mod-security-developers] validateurlencoding operator being used in the CRS

[Ellison M. <em...@sc...>]

rule 950108 in the CRS is supposed to check for url encoding abuse 
attempts. It chains a content-type header check, to a regex looking for 
percent sequences in REQUEST_BODY or XML, and finally to the 
validateURLEncoding operator. The problem is, the regex check allows for 
% on it's own, %XX and for %uXXXX sequences, while validateUrlEncoding 
only seems to accept %XX.

-- 
Sincerely,
  Ellison

Ellison Marks
Scratchspace Inc.
(831) 621-7928
http://www.scratchspace.com

[Mod-security-developers] does anyone can help me to compile ModSecurity IIS using VS2010

[保龙 <448...@qq...>]

Does anyone can help me to compile ModSecurity IIS using VS2010. Please reply my email. Thank you very much.

[Mod-security-developers] Welcome Felipe Costa as the new lead Dev for ModSecurity

[Ryan B. <RBa...@tr...>]

I wanted to send a note to the mail-lists to let everyone know that we have a new lead DEV for ModSecurity here in Trustwave SpiderLabs Research – Felipe Costa.  Felipe is taking over for Breno Silva Pinto who has left Trustwave to pursue other opportunities.  Breno did an outstanding job leading ModSecurity Dev for 3 years and we wish him luck in his new career.  Hopefully Breno will still have some time to contribute to the project in the future.

We are excited to have Felipe on the team as he has extensive background in open source project development.

Welcome aboard Felipe!

--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] ModSecurity for Java - BETA Testers Needed

[Ryan B. <RBa...@tr...>]

Resending to the lists as we haven't received much feedback.

If you run Java app servers, please give this a test.

--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

From: Ryan Barnett <rba...@tr...<mailto:rba...@tr...>>
Date: Friday, September 27, 2013 2:40 PM
To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>, "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Subject: ModSecurity for Java - BETA Testers Needed

FYI -
http://blog.spiderlabs.com/2013/09/modsecurity-for-java-beta-testers-needed.html

If you have any Java servers (Tomcat, Struts, Spring, etc…) please download this code and give it a test.  Let us know if you have any issues.

--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] [JIRA] Closed: (MODSEC-420) ModSecurity 2.7.5 for Nginx 1.4.2 duplicate charset headers

[Ryan B. (JIRA) <no...@mo...>]

     [ https://www.modsecurity.org/tracker/browse/MODSEC-420?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ryan Barnett closed MODSEC-420.
-------------------------------

    Resolution: Fixed

> ModSecurity 2.7.5 for Nginx 1.4.2 duplicate charset headers
> -----------------------------------------------------------
>
>                 Key: MODSEC-420
>                 URL: https://www.modsecurity.org/tracker/browse/MODSEC-420
>             Project: ModSecurity
>          Issue Type: Bug
>      Security Level: Normal
>          Components: Core
>    Affects Versions: 2.7.4
>         Environment: Linux host-1 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux that serves as a load balancer
> 2013/08/29 17:27:20 [notice] 27485#0: ModSecurity for nginx (STABLE)/2.7.5 (http://www.modsecurity.org/) configured.
> 2013/08/29 17:27:20 [notice] 27485#0: ModSecurity: APR compiled version="1.4.6"; loaded version="1.4.6"
> 2013/08/29 17:27:20 [notice] 27485#0: ModSecurity: PCRE compiled version="8.30 "; loaded version="8.30 2012-02-04"
> 2013/08/29 17:27:20 [notice] 27485#0: ModSecurity: LIBXML compiled version="2.8.0"
> 2013/08/29 17:27:20 [notice] 27485#0: using the "epoll" event method
> 2013/08/29 17:27:20 [notice] 27485#0: nginx/1.4.2
> 2013/08/29 17:27:20 [notice] 27485#0: built by gcc 4.7.2 (Debian 4.7.2-5) 
> 2013/08/29 17:27:20 [notice] 27485#0: OS: Linux 3.2.0-4-amd64
> 2013/08/29 17:27:20 [notice] 27485#0: getrlimit(RLIMIT_NOFILE): 1024:4096
>            Reporter: veli pekka jutila
>            Assignee: Breno Silva Pinto
>              Labels: charset, header, modsecurity,, nginx,
>
> When I disable ModSecurity from nginx.conf my backend provides charset header correctly
> sec-176:~ wellu$ curl --head http://111.111.111.111/interface/ShopName?ffg
> HTTP/1.1 200 OK
> Server: nginx/1.4.2
> Date: Thu, 29 Aug 2013 14:34:18 GMT
> Content-Type: text/html; charset=UTF-8
> Connection: keep-alive
> Vary: Accept-Encoding
> Set-Cookie: MCFS=b4v6gu0c0fsmdtj52rla35eg06; expires=Mon, 28-May-2057 05:09:58 GMT; path=/; domain=.111.111; HttpOnly
> Cache-Control: no-cache
> Pragma: no-cache
> Expires: -1
> X-Content-Type-Options: nosniff
> XSS-Protection: 1; mode=block
> X-Varnish: 579266232
> When I enable ModSecurity for this server and just use the basic modsecurity.conf I get duplicate charset headers and also the X-headers are removed. Also the char after UTF-8 depends on how many chars after '?' I use in the URL
> sec-176:~ wellu$ curl --head http://111.111.111.111/interface/ShopName?ffg
> HTTP/1.1 200 OK
> Server: nginx/1.4.2
> Date: Thu, 29 Aug 2013 14:35:18 GMT
> Content-Type: text/html; charset=UTF-8; charset=UTF-8?
> Connection: keep-alive
> Set-Cookie: MCFS=rknbdjna7m1oi5qh9pk6uqmrm7; expires=Mon, 28-May-2057 05:12:00 GMT; path=/; domain=.111.111; HttpOnly
> Cache-Control: no-cache
> Expires: -1
> modsecurity.conf
> -- Rule engine initialization ----------------------------------------------
> # Enable ModSecurity, attaching it to every transaction. Use detection
> # only to start with, because that minimises the chances of post-installation
> # disruption.
> #
> SecRuleEngine DetectionOnly
> # -- Request body handling ---------------------------------------------------
> # Allow ModSecurity to access request bodies. If you don't, ModSecurity
> # won't be able to see any POST parameters, which opens a large security
> # hole for attackers to exploit.
> #
> SecRequestBodyAccess On
> # Enable XML request body parser.
> # Initiate XML Processor in case of xml content-type
> #
> SecRule REQUEST_HEADERS:Content-Type "text/xml" \
>      "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
> # Maximum request body size we will accept for buffering. If you support
> # file uploads then the value given on the first line has to be as large
> # as the largest file you are willing to accept. The second value refers
> # to the size of data, with files excluded. You want to keep that value as
> # low as practical.
> #
> #SecRequestBodyLimit 13107200
> SecRequestBodyLimit 22020096
> SecRequestBodyNoFilesLimit 131072
> # Store up to 128 KB of request body data in memory. When the multipart
> # parser reachers this limit, it will start using your hard disk for
> # storage. That is slow, but unavoidable.
> #
> SecRequestBodyInMemoryLimit 131072
> # What do do if the request body size is above our configured limit.
> # Keep in mind that this setting will automatically be set to ProcessPartial
> # when SecRuleEngine is set to DetectionOnly mode in order to minimize
> # disruptions when initially deploying ModSecurity.
> #
> SecRequestBodyLimitAction Reject
> # Verify that we've correctly processed the request body.
> # As a rule of thumb, when failing to process a request body
> # you should reject the request (when deployed in blocking mode)
> # or log a high-severity alert (when deployed in detection-only mode).
> #
> SecRule REQBODY_ERROR "!@eq 0" \
> "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
> # By default be strict with what we accept in the multipart/form-data
> # request body. If the rule below proves to be too strict for your
> # environment consider changing it to detection-only. You are encouraged
> # _not_ to remove it altogether.
> #
> SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
> "id:'200002',phase:2,t:none,log,deny,status:44, \
> msg:'Multipart request body failed strict validation: \
> PE %{REQBODY_PROCESSOR_ERROR}, \
> BQ %{MULTIPART_BOUNDARY_QUOTED}, \
> BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
> DB %{MULTIPART_DATA_BEFORE}, \
> DA %{MULTIPART_DATA_AFTER}, \
> HF %{MULTIPART_HEADER_FOLDING}, \
> LF %{MULTIPART_LF_LINE}, \
> SM %{MULTIPART_MISSING_SEMICOLON}, \
> IQ %{MULTIPART_INVALID_QUOTING}, \
> IP %{MULTIPART_INVALID_PART}, \
> IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
> FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
> # Did we see anything that might be a boundary?
> #
> SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
> "id:'200003',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
> # PCRE Tuning
> # We want to avoid a potential RegEx DoS condition
> #
> SecPcreMatchLimit 1000
> SecPcreMatchLimitRecursion 1000
> # Some internal errors will set flags in TX and we will need to look for these.
> # All of these are prefixed with "MSC_".  The following flags currently exist:
> #
> # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
> #
> SecRule TX:/^MSC_/ "!@streq 0" \
>         "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
> # -- Response body handling --------------------------------------------------
> # Allow ModSecurity to access response bodies. 
> # You should have this directive enabled in order to identify errors
> # and data leakage issues.
> # 
> # Do keep in mind that enabling this directive does increases both
> # memory consumption and response latency.
> #
> SecResponseBodyAccess Off
> # Which response MIME types do you want to inspect? You should adjust the
> # configuration below to catch documents but avoid static files
> # (e.g., images and archives).
> #
> SecResponseBodyMimeType text/plain text/html text/xml
> # Buffer response bodies of up to 512 KB in length.
> SecResponseBodyLimit 524288
> # What happens when we encounter a response body larger than the configured
> # limit? By default, we process what we have and let the rest through.
> # That's somewhat less secure, but does not break any legitimate pages.
> #
> SecResponseBodyLimitAction ProcessPartial
> # -- Filesystem configuration ------------------------------------------------
> # The location where ModSecurity stores temporary files (for example, when
> # it needs to handle a file upload that is larger than the configured limit).
> # 
> # This default setting is chosen due to all systems have /tmp available however, 
> # this is less than ideal. It is recommended that you specify a location that's private.
> #
> SecTmpDir /var/log/modsecurity_workdir/
> # The location where ModSecurity will keep its persistent data.  This default setting 
> # is chosen due to all systems have /tmp available however, it
> # too should be updated to a place that other users can't access.
> #
> SecDataDir /var/log/modsecurity_workdir/
> # -- File uploads handling configuration -------------------------------------
> # The location where ModSecurity stores intercepted uploaded files. This
> # location must be private to ModSecurity. You don't want other users on
> # the server to access the files, do you?
> #
> SecUploadDir /var/log/modsecurity_workdir/
> # By default, only keep the files that were determined to be unusual
> # in some way (by an external inspection script). For this to work you
> # will also need at least one file inspection rule.
> #
> SecUploadKeepFiles RelevantOnly
> # Uploaded files are by default created with permissions that do not allow
> # any other user to access them. You may need to relax that if you want to
> # interface ModSecurity to an external program (e.g., an anti-virus).
> #
> #SecUploadFileMode 0600
> # -- Debug log configuration -------------------------------------------------
> # The default debug log configuration is to duplicate the error, warning
> # and notice messages from the error log.
> #
> #SecDebugLog /var/log/nginx/modsecurity/debug.log
> #SecDebugLogLevel 0
> # -- Audit log configuration -------------------------------------------------
> # Log the transactions that are marked by a rule, as well as those that
> # trigger a server error (determined by a 5xx or 4xx, excluding 404,  
> # level response status codes).
> #
> SecAuditEngine RelevantOnly
> SecAuditLogRelevantStatus "^(?:5|4(?!04))"
> # Log everything we know about a transaction.
> SecAuditLogParts ABIJDEFHZ
> # Use a single file for logging. This is much easier to look at, but
> # assumes that you will use the audit log only ocassionally.
> #
> #SecAuditLogType Serial
> SecAuditLogType Concurrent
> SecAuditLog /var/log/nginx/modsecurity/modsec_audit.log
> # Specify the path for concurrent audit logging.
> SecAuditLogStorageDir /var/log/nginx/modsecurity/
> # -- Miscellaneous -----------------------------------------------------------
> # Use the most commonly used application/x-www-form-urlencoded parameter
> # separator. There's probably only one application somewhere that uses
> # something else so don't expect to change this value.
> #
> SecArgumentSeparator &
> # Settle on version 0 (zero) cookies, as that is what most applications
> # use. Using an incorrect cookie version may open your installation to
> # evasion attacks (against the rules that examine named cookies).
> #
> SecCookieFormat 0
> # Specify your Unicode Code Point.
> # This mapping is used by the t:urlDecodeUni transformation function
> # to properly map encoded data to your language. Properly setting
> # these directives helps to reduce false positives and negatives.
> #
> #SecUnicodeCodePage 20127
> #SecUnicodeMapFile unicode.mapping
> #Include csr/modsecurity_crs_10_setup.conf
> #Include csr/activated_rules/*.conf

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[Mod-security-developers] ModSecurity for Java - BETA Testers Needed

[Ryan B. <RBa...@tr...>]

FYI -
http://blog.spiderlabs.com/2013/09/modsecurity-for-java-beta-testers-needed.html

If you have any Java servers (Tomcat, Struts, Spring, etc…) please download this code and give it a test.  Let us know if you have any issues.

--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.