mod-security-developers — Development discussion about mod_security

[Mod-security-developers] [v3/master] shift in the numbering of the phases ?

[Frédéric G. <sup...@gm...>]

Hello,

Adding the **UriPhase** phase into the enum Phases (see
headers/modsecurity/modsecurity.h) seems to have introduced a shift in the
numbering of the historical phases : RequestHeadersPhase is numbered 2
(instead of 1) and so on (see src/actions/phase.cc).

This has been tested with ModSecurity-3.0 (branch v3/master) in library
mode and ModSecurity connector for nginx (branch master).


Extract of headers/modsecurity/modsecurity.h file

```
#ifdef __cplusplus
#include <ctime>
#include <iostream>
#include <string>
#include <memory>
#endif


#ifndef HEADERS_MODSECURITY_MODSECURITY_H_
#define HEADERS_MODSECURITY_MODSECURITY_H_


#ifndef __cplusplus
typedef struct ModSecurity_t modsecurity;
#else
namespace modsecurity {
    /**
     *
     * The Phases enumerator consists in mapping the different stages of a
     * given request. ModSecurity is expected to inspect data based on those
     * "phases". If your module/application use this in a different order,
it
     * will lead ModSecurity to act in an unexpected behavior.
     *
     * It is mandatory to call all the phases, even if you don't have this
     * phases segmented in your end.
     *
     */
    enum Phases {
    /**
     *
     * The connection is the very first information that ModSecurity can
     * inspect. It is expected to happens before the virtual host name be
     * resolved. This phase is expected to happen immediately after a
     * connection is established.
     *
     */
     ConnectionPhase,
    /**
     *
     * The "URI" phase happens just after the web server (or any other
     * application that you may use with ModSecurity) have the
acknowledgement
     * of the full request URI.
     *
     */
     UriPhase,
    /**
     *
     * The "RequestHeaders" phase happens when the server has all the
     * information about the headers. Notice however, that it is expected to
     * happen prior to the reception of the request body (if any).
     *
     */
     RequestHeadersPhase,
     [...]
```



Extract of src/actions/phase.cc file

```
#include "src/actions/phase.h"

#include <iostream>
#include <string>

#include "modsecurity/transaction.h"
#include "modsecurity/rule.h"
#include "modsecurity/modsecurity.h"
#include "src/utils/string.h"


namespace modsecurity {
namespace actions {

bool Phase::init(std::string *error) {
    std::string a = utils::string::tolower(m_parser_payload);
    m_phase = -1;

    try {
        m_phase = std::stoi(m_parser_payload);
        if (m_phase == 0) {
            m_phase = modsecurity::Phases::ConnectionPhase;
            m_secRulesPhase = 0;
        } else if (m_phase == 1) {
            m_phase = modsecurity::Phases::RequestHeadersPhase;
            m_secRulesPhase = 1;
        } else if (m_phase == 2) {
            m_phase = modsecurity::Phases::RequestBodyPhase;
            m_secRulesPhase = 2;
        } else if (m_phase == 3) {
            m_phase = modsecurity::Phases::ResponseHeadersPhase;
            m_secRulesPhase = 3;
        } else if (m_phase == 4) {
            m_phase = modsecurity::Phases::ResponseBodyPhase;
            m_secRulesPhase = 4;
        } else if (m_phase == 5) {
            m_phase = modsecurity::Phases::LoggingPhase;
            m_secRulesPhase = 5;
        }
    } catch (...) {
        if (a == "request") {
            m_phase = modsecurity::Phases::RequestBodyPhase;
            m_secRulesPhase = 2;
        } else if (a == "response") {
            m_phase = modsecurity::Phases::ResponseBodyPhase;
            m_secRulesPhase = 4;
        } else if (a == "logging") {
            m_phase = modsecurity::Phases::LoggingPhase;
            m_secRulesPhase = 5;
        }
    }
```

Br.

--
Fred
sup...@gm...

[Mod-security-developers] ModSecurity nginx connector version 1.0.0 announcement

[Felipe C. <FC...@tr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



It is a pleasure to announce the release of ModSecurity nginx connector,
version 1.0.0. This is the first version for the nginx connector.

This connector is meant to work together with ModSecurity version 3.

The version 1.0.0 can be downloaded straight from GitHub:
https://github.com/SpiderLabs/ModSecurity-nginx/releases/tag/v1.0.0/

The list of open issues is available on GitHub:
https://github.com/SpiderLabs/ModSecurity-nginx/issues?q=is%3Aissue+is%3Aopen

Thanks to everybody who helped in this process: reporting issues, making
comments and suggestions, sending patches and so on. Special thanks to Andrei
Belov and nginx.

Further details on the compilation process can be found on the project README:
 - https://github.com/SpiderLabs/ModSecurity-nginx/#compilation

Complementary documentation on ModSecurity version 3 can be found here:
 - https://github.com/SpiderLabs/ModSecurity/tree/v3/master


Br.,
Felipe "Zimmerle" Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iF0EARECAB0WIQQZDvrMoen6RmqOzZzm37CM6LESdwUCWjqznQAKCRDm37CM6LES
dzrOAJ9vkq75BATo+pH4jmRccOOf83fMpQCeIkF3CApuOzaBx8/5RdIumhqtr8I=
=0Gj3
-----END PGP SIGNATURE-----

[Mod-security-developers] API Usage and Descriptions?

[Jai H. <jai...@mu...>]

I have an application which already retrieves requests and responses from
"the wire".  I'm trying to add modSecurity to check the requests/responses
for WAF errors using:

 msc_process_request_headers();
 msc_process_request_body();
 msc_process_response_headers();
 msc_process_response_body();

I don't want WAF to necessarily take any action, just inform the caller if
any problems were found.  If this is possible, how is it done?

Also, not sure what the purpose of the below APIs is for my specific
application.

 msc_new_transaction();
 msc_process_connection(t);
 msc_process_uri();

I was not able to locate a description of the above APIs.  If detailed
descriptions exist, please let me know where they are located.

Thanks.

Re: [Mod-security-developers] [modsecurity version 3] "undefined reference to" error when compiling test.c

[jussmen <ju...@ya...>]

Hello Felipe,

Thank you for your clarification.  It works now and I am able to compile *modified test.c* !

Have a nice holiday season.

Regards,
Kimi.

> On 18 Dec 2017, at 13:14, Felipe Costa <FC...@tr...> wrote:
> 
> Hi Jussmen,
> 
> The compilation of the examples is part of the build process. You can control the examples compilation by the configuration flags: --enable-examples or --disable-examples. In the configuration summary there is a line that spot if you have it enabled or not, something like:
> 
> 
>    + library examples                              ....enabled
> 
> 
> If you have that, the examples will be compiled altogether with libModSecurity. There should be a binary named `test' in the example folder.
> 
> If you want to modify the example for testing, you just have to enter "make" in the example folder. It should compile the new code.
> 
> if you really want to compile the example, separated from the library compilation, you may need to have something like:
> 
> $ gcc test.c -o test-out -L../../src/.libs/ -Wl,-rpath=../../src/.libs/ -lmodsecurity -I ../../headers
> 
> The directory: ../../src/.libs/ is the place were you can find libModSecurity compiled. While ../../headers is the directory of the headers file. The _rpath_ option suppress the need of the utilization of LD_LIBRARY_PATH. 
> 
> If you have the library installed in your system, you can also use:
> 
> $ gcc test.c -o test-out -L/usr/local/modsecurity/lib -Wl,-rpath=/usr/local/modsecurity/lib -lmodsecurity -I /usr/local/modsecurity/include
> 
> I hope you enjoy to work with the library ;)
> 
> 
> Br.,
> Felipe “Zimmerle”  Costa
> Security Researcher, Lead Developer ModSecurity.
> 
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com
> 
> 
> 
> From: jussmen <ju...@ya...>
> Sent: Monday, December 18, 2017 8:55 AM
> To: mod...@li...
> Subject: [Mod-security-developers] [modsecurity version 3] "undefined reference to" error when compiling test.c
>   
> 
> 
> Hello,
> 
> 
> I am trying to run the test.c connector to see what Modsecurity version 3 is, and having following error while compiling test.c.
> https://github.com/SpiderLabs/ModSecurity/blob/v3/master/examples/simple_example_using_c/test.c
> 
> 
> I used Ubuntsu 17.10 also CentOS 7 Minimal and basically got the same problem. 
> 
> 
> And followed the recipe (note: I added pkg-config).
> https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes
> 
> 
> $ sudo apt-get install g++ flex bison curl doxygen libyajl-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev pkg-config
> $ cd /opt/
> $ git clone  https://github.com/SpiderLabs/ModSecurity
> $ cd ModSecurity/
> $ git checkout -b v3/master origin/v3/master
> $ sh  build.sh
> $ git submodule init
> $ git submodule update #[for bindings/python, others/libinjection, test/test-cases/secrules-language-tests]
> $ ./configure
> $ make
> $ make install
> 
> 
> Here is some more details from my Ubuntsu.
> 
> 
> When I compile test.c,  I get following errors.
> 
> 
> 
> root@ubuntu:/opt/ModSecurity/examples/simple_example_using_c# gcc -W test.c -o foo.o -L/usr/local/modsecurity/lib -I/opt/ModSecurity/headers/modsecurity/ 
> /tmp/ccCMawz3.o: In function `main':
> test.c:(.text+0x34): undefined reference to `msc_init'
> test.c:(.text+0x4b): undefined reference to `msc_set_connector_info'
> test.c:(.text+0x55): undefined reference to `msc_create_rules_set'
> test.c:(.text+0x70): undefined reference to `msc_rules_add_file'
> test.c:(.text+0xc9): undefined reference to `msc_rules_dump'
> test.c:(.text+0xea): undefined reference to `msc_rules_add_remote'
> test.c:(.text+0x143): undefined reference to `msc_rules_dump'
> test.c:(.text+0x15b): undefined reference to `msc_new_transaction'
> test.c:(.text+0x184): undefined reference to `msc_process_connection'
> test.c:(.text+0x1a5): undefined reference to `msc_process_uri'
> test.c:(.text+0x1b1): undefined reference to `msc_process_request_headers'
> test.c:(.text+0x1bd): undefined reference to `msc_process_request_body'
> test.c:(.text+0x1d5): undefined reference to `msc_process_response_headers'
> test.c:(.text+0x1e1): undefined reference to `msc_process_response_body'
> test.c:(.text+0x1ed): undefined reference to `msc_process_logging'
> test.c:(.text+0x1f9): undefined reference to `msc_rules_cleanup'
> test.c:(.text+0x205): undefined reference to `msc_cleanup'
> collect2: error: ld returned 1 exit status
> 
> 
> 
> 
> I verified library is installed, header files are in the specified path.
> 
> 
> 
> root@ubuntu:/opt/ModSecurity/examples/simple_example_using_c# ls -al /usr/local/modsecurity/lib
> total 174360
> drwxr-xr-x 2 root root      4096 Dec 16 09:58 .
> drwxr-xr-x 5 root root      4096 Dec 11 16:42 ..
> -rw-r--r-- 1 root root 141791210 Dec 16 09:58 libmodsecurity.a
> -rwxr-xr-x 1 root root      1094 Dec 16 09:58  libmodsecurity.la
> lrwxrwxrwx 1 root root        23 Dec 16 09:58  libmodsecurity.so -> libmodsecurity.so.3.0.0
> lrwxrwxrwx 1 root root        23 Dec 16 09:58 libmodsecurity.so.3 -> libmodsecurity.so.3.0.0
> -rwxr-xr-x 1 root root  36736752 Dec 16 09:58 libmodsecurity.so.3.0.0
> root@ubuntu:/opt/ModSecurity/examples/simple_example_using_c# 
> root@ubuntu:/opt/ModSecurity/examples/simple_example_using_c# ls -al /opt/ModSecurity/headers/modsecurity/
> total 112
> drwxr-xr-x 4 root root  4096 Dec 18 01:55 .
> drwxr-xr-x 3 root root  4096 Dec 16 10:00 ..
> drwxr-xr-x 2 root root  4096 Dec 11 16:28 actions
> -rw-r--r-- 1 root root  2622 Dec 11 16:28 anchored_set_variable.h
> -rw-r--r-- 1 root root  1802 Dec 11 16:28 anchored_variable.h
> -rw-r--r-- 1 root root  5732 Dec 11 16:28 audit_log.h
> drwxr-xr-x 2 root root  4096 Dec 11 16:28 collection
> -rw-r--r-- 1 root root  1403 Dec 11 16:28 debug_log.h
> -rw-r--r-- 1 root root  1649 Dec 11 16:28 intervention.h
> -rw-r--r-- 1 root root  8403 Dec 11 16:28 modsecurity.h
> -rw-r--r-- 1 root root  3571 Dec 11 16:28 rule.h
> -rw-r--r-- 1 root root  3203 Dec 11 16:28 rule_message.h
> -rw-r--r-- 1 root root  2493 Dec 11 16:28 rules_exceptions.h
> -rw-r--r-- 1 root root  2555 Dec 11 16:28 rules.h
> -rw-r--r-- 1 root root 14789 Dec 11 16:28 rules_properties.h
> -rw-r--r-- 1 root root 20688 Dec 11 16:28 transaction.h
> -rw-r--r-- 1 root root  1220 Dec 11 16:28 variable_origin.h
> 
> 
> 
> 
> Then, I tried the installation process again and reviewed the outputs.
> 
> 
> Full output is on Gist
> https://gist.github.com/jussmen/33cc70b76f21dc4d7a01743a02b15202
> 
> 
> I noticed that it says I should add LIBDIR into LD_LIBRARY_PATH and LD_RUN_PATH.
> So I checked what path is specified in LIBDIR after the installation process, and found it is empty on my Ubuntsu.
> 
> 
> 
> root@ubuntu:/opt/ModSecurity# echo $LIBDIR
> 
> 
> root@ubuntu:/opt/ModSecurity# 
> 
> 
> 
> 
> 
> ----------------------------------------------------------------------
> Libraries have been installed in:
>    /usr/local/modsecurity/lib
> 
> 
> If you ever happen to want to link against installed libraries
> in a given directory, LIBDIR, you must either use libtool, and
> specify the full pathname of the library, or use the '-LLIBDIR'
> flag during linking and do at least one of the following:
>    - add LIBDIR to the 'LD_LIBRARY_PATH' environment variable
>      during execution
>    - add LIBDIR to the 'LD_RUN_PATH' environment variable
>      during linking
>    - use the '-Wl,-rpath -Wl,LIBDIR' linker flag
>    - have your system administrator add LIBDIR to '/etc/ld.so.conf'
> 
> 
> See any operating system documentation about shared libraries for
> more information, such as the ld(1) and ld.so(8) manual pages.
> ----------------------------------------------------------------------
> 
> 
> 
> 
> I guess I should have something with LIBDIR and that is why compelling test.c returns 'undefined reference to’ errors ?
> 
> 
> I appreciate any guidance.
> 
> 
> Regards,
> Kimi.      
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

Re: [Mod-security-developers] [modsecurity version 3] "undefined reference to" error when compiling test.c

[Felipe C. <FC...@tr...>]

Hi Jussmen,

The compilation of the examples is part of the build process. You can control the examples compilation by the configuration flags: --enable-examples or --disable-examples. In the configuration summary there is a line that spot if you have it enabled or not, something like:


   + library examples                              ....enabled


If you have that, the examples will be compiled altogether with libModSecurity. There should be a binary named `test' in the example folder.

If you want to modify the example for testing, you just have to enter "make" in the example folder. It should compile the new code.

if you really want to compile the example, separated from the library compilation, you may need to have something like:

$ gcc test.c -o test-out -L../../src/.libs/ -Wl,-rpath=../../src/.libs/ -lmodsecurity -I ../../headers

The directory: ../../src/.libs/ is the place were you can find libModSecurity compiled. While ../../headers is the directory of the headers file. The _rpath_ option suppress the need of the utilization of LD_LIBRARY_PATH. 

If you have the library installed in your system, you can also use:

$ gcc test.c -o test-out -L/usr/local/modsecurity/lib -Wl,-rpath=/usr/local/modsecurity/lib -lmodsecurity -I /usr/local/modsecurity/include

I hope you enjoy to work with the library ;)


Br.,
Felipe “Zimmerle”  Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com



From: jussmen <ju...@ya...>
Sent: Monday, December 18, 2017 8:55 AM
To: mod...@li...
Subject: [Mod-security-developers] [modsecurity version 3] "undefined reference to" error when compiling test.c
  


Hello,


I am trying to run the test.c connector to see what Modsecurity version 3 is, and having following error while compiling test.c.
https://github.com/SpiderLabs/ModSecurity/blob/v3/master/examples/simple_example_using_c/test.c


I used Ubuntsu 17.10 also CentOS 7 Minimal and basically got the same problem. 


And followed the recipe (note: I added pkg-config).
https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes


$ sudo apt-get install g++ flex bison curl doxygen libyajl-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev pkg-config
$ cd /opt/
$ git clone  https://github.com/SpiderLabs/ModSecurity
$ cd ModSecurity/
$ git checkout -b v3/master origin/v3/master
$ sh  build.sh
$ git submodule init
$ git submodule update #[for bindings/python, others/libinjection, test/test-cases/secrules-language-tests]
$ ./configure
$ make
$ make install

 
Here is some more details from my Ubuntsu.


When I compile test.c,  I get following errors.



root@ubuntu:/opt/ModSecurity/examples/simple_example_using_c# gcc -W test.c -o foo.o -L/usr/local/modsecurity/lib -I/opt/ModSecurity/headers/modsecurity/ 
/tmp/ccCMawz3.o: In function `main':
test.c:(.text+0x34): undefined reference to `msc_init'
test.c:(.text+0x4b): undefined reference to `msc_set_connector_info'
test.c:(.text+0x55): undefined reference to `msc_create_rules_set'
test.c:(.text+0x70): undefined reference to `msc_rules_add_file'
test.c:(.text+0xc9): undefined reference to `msc_rules_dump'
test.c:(.text+0xea): undefined reference to `msc_rules_add_remote'
test.c:(.text+0x143): undefined reference to `msc_rules_dump'
test.c:(.text+0x15b): undefined reference to `msc_new_transaction'
test.c:(.text+0x184): undefined reference to `msc_process_connection'
test.c:(.text+0x1a5): undefined reference to `msc_process_uri'
test.c:(.text+0x1b1): undefined reference to `msc_process_request_headers'
test.c:(.text+0x1bd): undefined reference to `msc_process_request_body'
test.c:(.text+0x1d5): undefined reference to `msc_process_response_headers'
test.c:(.text+0x1e1): undefined reference to `msc_process_response_body'
test.c:(.text+0x1ed): undefined reference to `msc_process_logging'
test.c:(.text+0x1f9): undefined reference to `msc_rules_cleanup'
test.c:(.text+0x205): undefined reference to `msc_cleanup'
collect2: error: ld returned 1 exit status




I verified library is installed, header files are in the specified path.



root@ubuntu:/opt/ModSecurity/examples/simple_example_using_c# ls -al /usr/local/modsecurity/lib
total 174360
drwxr-xr-x 2 root root      4096 Dec 16 09:58 .
drwxr-xr-x 5 root root      4096 Dec 11 16:42 ..
-rw-r--r-- 1 root root 141791210 Dec 16 09:58 libmodsecurity.a
-rwxr-xr-x 1 root root      1094 Dec 16 09:58  libmodsecurity.la
lrwxrwxrwx 1 root root        23 Dec 16 09:58  libmodsecurity.so -> libmodsecurity.so.3.0.0
lrwxrwxrwx 1 root root        23 Dec 16 09:58 libmodsecurity.so.3 -> libmodsecurity.so.3.0.0
-rwxr-xr-x 1 root root  36736752 Dec 16 09:58 libmodsecurity.so.3.0.0
root@ubuntu:/opt/ModSecurity/examples/simple_example_using_c# 
root@ubuntu:/opt/ModSecurity/examples/simple_example_using_c# ls -al /opt/ModSecurity/headers/modsecurity/
total 112
drwxr-xr-x 4 root root  4096 Dec 18 01:55 .
drwxr-xr-x 3 root root  4096 Dec 16 10:00 ..
drwxr-xr-x 2 root root  4096 Dec 11 16:28 actions
-rw-r--r-- 1 root root  2622 Dec 11 16:28 anchored_set_variable.h
-rw-r--r-- 1 root root  1802 Dec 11 16:28 anchored_variable.h
-rw-r--r-- 1 root root  5732 Dec 11 16:28 audit_log.h
drwxr-xr-x 2 root root  4096 Dec 11 16:28 collection
-rw-r--r-- 1 root root  1403 Dec 11 16:28 debug_log.h
-rw-r--r-- 1 root root  1649 Dec 11 16:28 intervention.h
-rw-r--r-- 1 root root  8403 Dec 11 16:28 modsecurity.h
-rw-r--r-- 1 root root  3571 Dec 11 16:28 rule.h
-rw-r--r-- 1 root root  3203 Dec 11 16:28 rule_message.h
-rw-r--r-- 1 root root  2493 Dec 11 16:28 rules_exceptions.h
-rw-r--r-- 1 root root  2555 Dec 11 16:28 rules.h
-rw-r--r-- 1 root root 14789 Dec 11 16:28 rules_properties.h
-rw-r--r-- 1 root root 20688 Dec 11 16:28 transaction.h
-rw-r--r-- 1 root root  1220 Dec 11 16:28 variable_origin.h




Then, I tried the installation process again and reviewed the outputs.


Full output is on Gist
https://gist.github.com/jussmen/33cc70b76f21dc4d7a01743a02b15202


I noticed that it says I should add LIBDIR into LD_LIBRARY_PATH and LD_RUN_PATH.
So I checked what path is specified in LIBDIR after the installation process, and found it is empty on my Ubuntsu.



root@ubuntu:/opt/ModSecurity# echo $LIBDIR


root@ubuntu:/opt/ModSecurity# 

 



----------------------------------------------------------------------
Libraries have been installed in:
   /usr/local/modsecurity/lib


If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the '-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the 'LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the 'LD_RUN_PATH' environment variable
     during linking
   - use the '-Wl,-rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to '/etc/ld.so.conf'


See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------

 


I guess I should have something with LIBDIR and that is why compelling test.c returns 'undefined reference to’ errors ?


I appreciate any guidance.


Regards,
Kimi.      

[Mod-security-developers] [modsecurity version 3] "undefined reference to" error when compiling test.c

[jussmen <ju...@ya...>]

Hello,

I am trying to run the test.c connector to see what Modsecurity version 3 is, and having following error while compiling test.c.
https://github.com/SpiderLabs/ModSecurity/blob/v3/master/examples/simple_example_using_c/test.c <https://github.com/SpiderLabs/ModSecurity/blob/v3/master/examples/simple_example_using_c/test.c>

I used Ubuntsu 17.10 also CentOS 7 Minimal and basically got the same problem. 

And followed the recipe (note: I added pkg-config).
https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes <https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes>

$ sudo apt-get install g++ flex bison curl doxygen libyajl-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev pkg-config
$ cd /opt/
$ git clone https://github.com/SpiderLabs/ModSecurity
$ cd ModSecurity/
$ git checkout -b v3/master origin/v3/master
$ sh build.sh
$ git submodule init
$ git submodule update #[for bindings/python, others/libinjection, test/test-cases/secrules-language-tests]
$ ./configure
$ make
$ make install

Here is some more details from my Ubuntsu.

When I compile test.c,  I get following errors.

root@ubuntu:/opt/ModSecurity/examples/simple_example_using_c# gcc -W test.c -o foo.o -L/usr/local/modsecurity/lib -I/opt/ModSecurity/headers/modsecurity/ 
/tmp/ccCMawz3.o: In function `main':
test.c:(.text+0x34): undefined reference to `msc_init'
test.c:(.text+0x4b): undefined reference to `msc_set_connector_info'
test.c:(.text+0x55): undefined reference to `msc_create_rules_set'
test.c:(.text+0x70): undefined reference to `msc_rules_add_file'
test.c:(.text+0xc9): undefined reference to `msc_rules_dump'
test.c:(.text+0xea): undefined reference to `msc_rules_add_remote'
test.c:(.text+0x143): undefined reference to `msc_rules_dump'
test.c:(.text+0x15b): undefined reference to `msc_new_transaction'
test.c:(.text+0x184): undefined reference to `msc_process_connection'
test.c:(.text+0x1a5): undefined reference to `msc_process_uri'
test.c:(.text+0x1b1): undefined reference to `msc_process_request_headers'
test.c:(.text+0x1bd): undefined reference to `msc_process_request_body'
test.c:(.text+0x1d5): undefined reference to `msc_process_response_headers'
test.c:(.text+0x1e1): undefined reference to `msc_process_response_body'
test.c:(.text+0x1ed): undefined reference to `msc_process_logging'
test.c:(.text+0x1f9): undefined reference to `msc_rules_cleanup'
test.c:(.text+0x205): undefined reference to `msc_cleanup'
collect2: error: ld returned 1 exit status


I verified library is installed, header files are in the specified path.

root@ubuntu:/opt/ModSecurity/examples/simple_example_using_c# ls -al /usr/local/modsecurity/lib
total 174360
drwxr-xr-x 2 root root      4096 Dec 16 09:58 .
drwxr-xr-x 5 root root      4096 Dec 11 16:42 ..
-rw-r--r-- 1 root root 141791210 Dec 16 09:58 libmodsecurity.a
-rwxr-xr-x 1 root root      1094 Dec 16 09:58 libmodsecurity.la
lrwxrwxrwx 1 root root        23 Dec 16 09:58 libmodsecurity.so -> libmodsecurity.so.3.0.0
lrwxrwxrwx 1 root root        23 Dec 16 09:58 libmodsecurity.so.3 -> libmodsecurity.so.3.0.0
-rwxr-xr-x 1 root root  36736752 Dec 16 09:58 libmodsecurity.so.3.0.0
root@ubuntu:/opt/ModSecurity/examples/simple_example_using_c# 
root@ubuntu:/opt/ModSecurity/examples/simple_example_using_c# ls -al /opt/ModSecurity/headers/modsecurity/
total 112
drwxr-xr-x 4 root root  4096 Dec 18 01:55 .
drwxr-xr-x 3 root root  4096 Dec 16 10:00 ..
drwxr-xr-x 2 root root  4096 Dec 11 16:28 actions
-rw-r--r-- 1 root root  2622 Dec 11 16:28 anchored_set_variable.h
-rw-r--r-- 1 root root  1802 Dec 11 16:28 anchored_variable.h
-rw-r--r-- 1 root root  5732 Dec 11 16:28 audit_log.h
drwxr-xr-x 2 root root  4096 Dec 11 16:28 collection
-rw-r--r-- 1 root root  1403 Dec 11 16:28 debug_log.h
-rw-r--r-- 1 root root  1649 Dec 11 16:28 intervention.h
-rw-r--r-- 1 root root  8403 Dec 11 16:28 modsecurity.h
-rw-r--r-- 1 root root  3571 Dec 11 16:28 rule.h
-rw-r--r-- 1 root root  3203 Dec 11 16:28 rule_message.h
-rw-r--r-- 1 root root  2493 Dec 11 16:28 rules_exceptions.h
-rw-r--r-- 1 root root  2555 Dec 11 16:28 rules.h
-rw-r--r-- 1 root root 14789 Dec 11 16:28 rules_properties.h
-rw-r--r-- 1 root root 20688 Dec 11 16:28 transaction.h
-rw-r--r-- 1 root root  1220 Dec 11 16:28 variable_origin.h


Then, I tried the installation process again and reviewed the outputs.

Full output is on Gist
https://gist.github.com/jussmen/33cc70b76f21dc4d7a01743a02b15202 <https://gist.github.com/jussmen/33cc70b76f21dc4d7a01743a02b15202>

I noticed that it says I should add LIBDIR into LD_LIBRARY_PATH and LD_RUN_PATH.
So I checked what path is specified in LIBDIR after the installation process, and found it is empty on my Ubuntsu.

root@ubuntu:/opt/ModSecurity# echo $LIBDIR

root@ubuntu:/opt/ModSecurity# 


----------------------------------------------------------------------
Libraries have been installed in:
   /usr/local/modsecurity/lib

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the '-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the 'LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the 'LD_RUN_PATH' environment variable
     during linking
   - use the '-Wl,-rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to '/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------


I guess I should have something with LIBDIR and that is why compelling test.c returns 'undefined reference to’ errors ?

I appreciate any guidance.

Regards,
Kimi.

Re: [Mod-security-developers] ModSecurity version 3.0.0 announcement

[Christian F. <chr...@ne...>]

On Fri, Dec 15, 2017 at 03:10:33PM +0000, Felipe Costa wrote:
>    Thank you Christian. Indeed I am very happy with this release :) Hope
>    to make the life of ModSecurity users better.

I bet it will!

>    Thanks, also, to everybody that was involved on with it, including you
>    :)

You're welcome. But we all know you did all the heavy lifting yourself!

Christian

> 
>    Br.,
> 
>    Felipe “Zimmerle” Costa
> 
>    Security Researcher, Lead Developer ModSecurity.
> 
> 
>    Trustwave | SMART SECURITY ON DEMAND
> 
>    [1]www.trustwave.com
>      __________________________________________________________________
> 
>    From: Christian Folini <chr...@ne...>
>    Sent: Friday, December 15, 2017 8:11:55 AM
>    To: mod...@li...;
>    mod...@li...
>    Subject: Re: [Mod-security-developers] ModSecurity version 3.0.0
>    announcement
> 
>    Congratulations Zimmerle!
>    This is a very big day and I am impressed by your achievement! I drink
>    to a
>    bright future for libModSecurity 3.0!
>    Christian
>    On Thu, Dec 14, 2017 at 10:26:17PM +0000, Felipe Costa wrote:
>    >
>    > It is a pleasure to announce the release of ModSecurity version
>    3.0.0, aka
>    > libModSecurity. This version contains fixes on top of v3.0.0-rc1 and
>    > improvements on some features.
>    >
>    > The most important addition of this release was the full support for
>    some
>    > missing pieces such as: Lua, SecRuleRemoveByTag and the @fuzzyHash
>    operator.
>    >
>    > At this point ModSecurity version 3 is considerable to be feature
>    complete. Any
>    > missing piece may not be suitable for version 3 family. At least not
>    > before discussion.
>    >
>    > The list with the full changes can be found on the project CHANGES
>    file,
>    > available here:
>    >  -
>    [2]https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0J
>    Y3XGs_SrVbV5HsA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecu
>    rity%2freleases%2ftag%2fv3%2e0%2e0%2fCHANGES
>    >
>    > The version 3.0.0 can be downloaded straight from GitHub:
>    >  -
>    [3]https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0J
>    Y3XGs_XuJPgVM5w&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecu
>    rity%2freleases%2ftag%2fv3%2e0%2e0%2f
>    >
>    > The list of open issues is also available on GitHub:
>    >  -
>    [4]https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0J
>    Y3XGs_XuJOVNNsA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecu
>    rity%2fissues%3fq%3dis%253Aissue%2bis%253Aopen%2blabel%253Alibmodsecuri
>    ty
>    >
>    > Notice that differently from version 2, ModSecurity v3 does not
>    target any
>    > specific web server or web server version. The version 3 is about a
>    library.
>    > The connectors are the ones responsible to create the link between
>    the web
>    > server and libModSecurity. Each web server should have its own
>    connector.
>    > Currently we support the Nginx connector and there is a Apache
>    connector
>    > available for test (not yet released).
>    >
>    > IMPORTANT: ModSecurity version 2 will be available and maintained
>    parallel
>    > to version 3. There is no ETA to deprecate the version 2.x. New
>    features and
>    > major improvements will be implemented on version 3.x. Security or
>    major bugs
>    > are planned to be back ported. Version 2 and version 3 has a
>    completely
>    > independent development/release cycle.
>    >
>    > Thanks to everybody who helped in this process: reporting issues,
>    making
>    > comments and suggestions, sending patches and so on.
>    >
>    > Further details on the compilation process for ModSecurity v3, can be
>    found on
>    > the project README:
>    >  -
>    [5]https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0J
>    Y3XGs_X2HOldK4w&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecu
>    rity%2ftree%2fv3%2fmaster%23compilation
>    >
>    > Complementary documentation for the connectors are available here:
>    >  - nginx:
>    [6]https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0J
>    Y3XGs_XjUPlEYtg&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecu
>    rity-nginx%2f%23compilation
>    >  - Apache:
>    [7]https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0J
>    Y3XGs_S6AOVZO4g&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecu
>    rity-apache%2f%23compilation
>    >
>    >
>    > Br.,
>    > Felipe "Zimmerle" Costa
>    > Security Researcher, Lead Developer ModSecurity.
>    >
>    > Trustwave | SMART  SECURITY ON DEMAND
>    > [8]www.trustwave.com
>    >
>    >
>    >
>    -----------------------------------------------------------------------
>    -------
>    > Check out the vibrant tech community on one of the world's most
>    > engaging tech sites,
>    [9]http://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY
>    3XGs_S6Ga1Ea5g&s=5&u=http%3a%2f%2fSlashdot%2eorg%21
>    [10]http://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0J
>    Y3XGs_XjVbVUc4g&s=5&u=http%3a%2f%2fsdm%2elink%2fslashdot
>    > _______________________________________________
>    > mod-security-developers mailing list
>    > mod...@li...
>    >
>    [11]https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0
>    JY3XGs_S-CZ1NJsQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%
>    2flistinfo%2fmod-security-developers
>    > ModSecurity Services from Trustwave's SpiderLabs:
>    > [12]https://www.trustwave.com/spiderLabs.php
>    --
>    [13]https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0
>    JY3XGs_SuGaFUd4A&s=5&u=https%3a%2f%2fwww%2efeistyduck%2ecom%2ftraining%
>    2fmodsecurity-training-course
>    [14]https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0
>    JY3XGs_SyFb18b7A&s=5&u=https%3a%2f%2fwww%2efeistyduck%2ecom%2fbooks%2fm
>    odsecurity-handbook%2f
>    [15]mailto:chr...@ne...
>    twitter: @ChrFolini
> 
> References
> 
>    1. http://www.trustwave.com/
>    2. https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_SrVbV5HsA&s=5&u=https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.0/CHANGES
>    3. https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_XuJPgVM5w&s=5&u=https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.0/
>    4. https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_XuJOVNNsA&s=5&u=https://github.com/SpiderLabs/ModSecurity/issues?q=is%3Aissue+is%3Aopen+label%3Alibmodsecurity
>    5. https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_X2HOldK4w&s=5&u=https://github.com/SpiderLabs/ModSecurity/tree/v3/master#compilation
>    6. https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_XjUPlEYtg&s=5&u=https://github.com/SpiderLabs/ModSecurity-nginx/#compilation
>    7. https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_S6AOVZO4g&s=5&u=https://github.com/SpiderLabs/ModSecurity-apache/#compilation
>    8. http://www.trustwave.com/
>    9. http://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_S6Ga1Ea5g&s=5&u=http://Slashdot.org!
>   10. http://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_XjVbVUc4g&s=5&u=http://sdm.link/slashdot
>   11. https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_S-CZ1NJsQ&s=5&u=https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>   12. https://www.trustwave.com/spiderLabs.php
>   13. https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_SuGaFUd4A&s=5&u=https://www.feistyduck.com/training/modsecurity-training-course
>   14. https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_SyFb18b7A&s=5&u=https://www.feistyduck.com/books/modsecurity-handbook/
>   15. mailto:chr...@ne...

> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot

> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php


-- 
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini

Re: [Mod-security-developers] ModSecurity version 3.0.0 announcement

[Felipe C. <FC...@tr...>]

Thank you Christian. Indeed I am very happy with this release :) Hope to make the life of ModSecurity users better.

Thanks, also, to everybody that was involved on with it, including you :)



Br.,

Felipe “Zimmerle” Costa

Security Researcher, Lead Developer ModSecurity.



Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com<http://www.trustwave.com/>



________________________________
From: Christian Folini <chr...@ne...>
Sent: Friday, December 15, 2017 8:11:55 AM
To: mod...@li...; mod...@li...
Subject: Re: [Mod-security-developers] ModSecurity version 3.0.0 announcement

Congratulations Zimmerle!

This is a very big day and I am impressed by your achievement! I drink to a
bright future for libModSecurity 3.0!

Christian



On Thu, Dec 14, 2017 at 10:26:17PM +0000, Felipe Costa wrote:
>
> It is a pleasure to announce the release of ModSecurity version 3.0.0, aka
> libModSecurity. This version contains fixes on top of v3.0.0-rc1 and
> improvements on some features.
>
> The most important addition of this release was the full support for some
> missing pieces such as: Lua, SecRuleRemoveByTag and the @fuzzyHash operator.
>
> At this point ModSecurity version 3 is considerable to be feature complete. Any
> missing piece may not be suitable for version 3 family. At least not
> before discussion.
>
> The list with the full changes can be found on the project CHANGES file,
> available here:
>  - https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_SrVbV5HsA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2freleases%2ftag%2fv3%2e0%2e0%2fCHANGES
>
> The version 3.0.0 can be downloaded straight from GitHub:
>  - https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_XuJPgVM5w&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2freleases%2ftag%2fv3%2e0%2e0%2f
>
> The list of open issues is also available on GitHub:
>  - https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_XuJOVNNsA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2fissues%3fq%3dis%253Aissue%2bis%253Aopen%2blabel%253Alibmodsecurity
>
> Notice that differently from version 2, ModSecurity v3 does not target any
> specific web server or web server version. The version 3 is about a library.
> The connectors are the ones responsible to create the link between the web
> server and libModSecurity. Each web server should have its own connector.
> Currently we support the Nginx connector and there is a Apache connector
> available for test (not yet released).
>
> IMPORTANT: ModSecurity version 2 will be available and maintained parallel
> to version 3. There is no ETA to deprecate the version 2.x. New features and
> major improvements will be implemented on version 3.x. Security or major bugs
> are planned to be back ported. Version 2 and version 3 has a completely
> independent development/release cycle.
>
> Thanks to everybody who helped in this process: reporting issues, making
> comments and suggestions, sending patches and so on.
>
> Further details on the compilation process for ModSecurity v3, can be found on
> the project README:
>  - https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_X2HOldK4w&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2ftree%2fv3%2fmaster%23compilation
>
> Complementary documentation for the connectors are available here:
>  - nginx: https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_XjUPlEYtg&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity-nginx%2f%23compilation
>  - Apache: https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_S6AOVZO4g&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity-apache%2f%23compilation
>
>
> Br.,
> Felipe "Zimmerle" Costa
> Security Researcher, Lead Developer ModSecurity.
>
> Trustwave | SMART  SECURITY ON DEMAND
> www.trustwave.com<http://www.trustwave.com>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, http://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_S6Ga1Ea5g&s=5&u=http%3a%2f%2fSlashdot%2eorg%21 http://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_XjVbVUc4g&s=5&u=http%3a%2f%2fsdm%2elink%2fslashdot
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_S-CZ1NJsQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

--
https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_SuGaFUd4A&s=5&u=https%3a%2f%2fwww%2efeistyduck%2ecom%2ftraining%2fmodsecurity-training-course
https://scanmail.trustwave.com/?c=4062&d=-J-z2kP3sJBdn_MkkJUUMkJvM0JY3XGs_SyFb18b7A&s=5&u=https%3a%2f%2fwww%2efeistyduck%2ecom%2fbooks%2fmodsecurity-handbook%2f
mailto:chr...@ne...
twitter: @ChrFolini

Re: [Mod-security-developers] ModSecurity version 3.0.0 announcement

[Christian F. <chr...@ne...>]

Congratulations Zimmerle! 

This is a very big day and I am impressed by your achievement! I drink to a
bright future for libModSecurity 3.0!

Christian



On Thu, Dec 14, 2017 at 10:26:17PM +0000, Felipe Costa wrote:
> 
> It is a pleasure to announce the release of ModSecurity version 3.0.0, aka
> libModSecurity. This version contains fixes on top of v3.0.0-rc1 and
> improvements on some features.
> 
> The most important addition of this release was the full support for some
> missing pieces such as: Lua, SecRuleRemoveByTag and the @fuzzyHash operator.
> 
> At this point ModSecurity version 3 is considerable to be feature complete. Any
> missing piece may not be suitable for version 3 family. At least not
> before discussion.
> 
> The list with the full changes can be found on the project CHANGES file,
> available here:
>  - https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.0/CHANGES
> 
> The version 3.0.0 can be downloaded straight from GitHub:
>  - https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.0/
> 
> The list of open issues is also available on GitHub:
>  - https://github.com/SpiderLabs/ModSecurity/issues?q=is%3Aissue+is%3Aopen+label%3Alibmodsecurity
> 
> Notice that differently from version 2, ModSecurity v3 does not target any
> specific web server or web server version. The version 3 is about a library.
> The connectors are the ones responsible to create the link between the web
> server and libModSecurity. Each web server should have its own connector.
> Currently we support the Nginx connector and there is a Apache connector
> available for test (not yet released).
> 
> IMPORTANT: ModSecurity version 2 will be available and maintained parallel
> to version 3. There is no ETA to deprecate the version 2.x. New features and
> major improvements will be implemented on version 3.x. Security or major bugs
> are planned to be back ported. Version 2 and version 3 has a completely
> independent development/release cycle.
> 
> Thanks to everybody who helped in this process: reporting issues, making
> comments and suggestions, sending patches and so on.
> 
> Further details on the compilation process for ModSecurity v3, can be found on
> the project README:
>  - https://github.com/SpiderLabs/ModSecurity/tree/v3/master#compilation
> 
> Complementary documentation for the connectors are available here:
>  - nginx: https://github.com/SpiderLabs/ModSecurity-nginx/#compilation
>  - Apache: https://github.com/SpiderLabs/ModSecurity-apache/#compilation
> 
> 
> Br.,
> Felipe "Zimmerle" Costa
> Security Researcher, Lead Developer ModSecurity.
> 
> Trustwave | SMART  SECURITY ON DEMAND
> www.trustwave.com
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

-- 
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini

[Mod-security-developers] ModSecurity version 3.0.0 announcement

[Felipe C. <FC...@tr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


It is a pleasure to announce the release of ModSecurity version 3.0.0, aka
libModSecurity. This version contains fixes on top of v3.0.0-rc1 and
improvements on some features.

The most important addition of this release was the full support for some
missing pieces such as: Lua, SecRuleRemoveByTag and the @fuzzyHash operator.

At this point ModSecurity version 3 is considerable to be feature complete. Any
missing piece may not be suitable for version 3 family. At least not
before discussion.

The list with the full changes can be found on the project CHANGES file,
available here:
 - https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.0/CHANGES

The version 3.0.0 can be downloaded straight from GitHub:
 - https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.0/

The list of open issues is also available on GitHub:
 - https://github.com/SpiderLabs/ModSecurity/issues?q=is%3Aissue+is%3Aopen+label%3Alibmodsecurity

Notice that differently from version 2, ModSecurity v3 does not target any
specific web server or web server version. The version 3 is about a library.
The connectors are the ones responsible to create the link between the web
server and libModSecurity. Each web server should have its own connector.
Currently we support the Nginx connector and there is a Apache connector
available for test (not yet released).

IMPORTANT: ModSecurity version 2 will be available and maintained parallel
to version 3. There is no ETA to deprecate the version 2.x. New features and
major improvements will be implemented on version 3.x. Security or major bugs
are planned to be back ported. Version 2 and version 3 has a completely
independent development/release cycle.

Thanks to everybody who helped in this process: reporting issues, making
comments and suggestions, sending patches and so on.

Further details on the compilation process for ModSecurity v3, can be found on
the project README:
 - https://github.com/SpiderLabs/ModSecurity/tree/v3/master#compilation

Complementary documentation for the connectors are available here:
 - nginx: https://github.com/SpiderLabs/ModSecurity-nginx/#compilation
 - Apache: https://github.com/SpiderLabs/ModSecurity-apache/#compilation


Br.,
Felipe "Zimmerle" Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART  SECURITY ON DEMAND
www.trustwave.com

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iF0EARECAB0WIQQZDvrMoen6RmqOzZzm37CM6LESdwUCWjL5gQAKCRDm37CM6LES
d+I9AJ0W6S2jXBFSXcAPBQD/qhs4W0SOwQCgoeKBpOOSAcAZXsAqQOA4oUFV+yY=
=BrVr
-----END PGP SIGNATURE-----

[Mod-security-developers] SNI Support With Modsecurity

[Sri H. K. <sri...@gm...>]

Hello,

We have modsecurity installed on centos6, which is compiled with
apache2.2.15.  We are using apache reverse proxy.

We are having trouble getting modsecurity interact with SNI based sites.

>From below change log for Apache2.4, can I assume that reverse proxy is not
supported with SNI till Apache 2.4? and so this is less of modsecurity
problem and more of an apache problem?

See: https://www.apachelounge.com/Changelog-2.4.html

Important Part:

*) ab: Set the Server Name Indication (SNI) extension on outgoing TLS

     connections (unless -I is specified), according to the Host header (if

     any) or the requested URL's hostname otherwise.  [Yann Ylavic]

If someone could confirm/double check this assessment that would be great,
and only solution would be recompile modsecurity with apache 2.4?

Looks like there is no modescurity module with apache 2.4 for EL6.

https://access.redhat.com/discussions/2451361

Thanks in advance.

Regards,

SK

Re: [Mod-security-developers] server compatible with SecRemoteRules

[icehosting <in...@ic...>]

thank you very much


On Fri, Sep 15, 2017 at 3:25 PM, Christian Folini <
chr...@ne...> wrote:

> Hello Icehosting,
>
> This is all very much up to you. The ModSecurity Handbook has some
> additional
> details on the requests performed, but basically you construct the service
> yourself based on the request that ModSec issues.
>
> Ahoj,
>
> Christian
>
> On Fri, Sep 15, 2017 at 02:58:08PM +0300, icehosting via
> mod-security-developers wrote:
> >    Hello,
> >    i have a set of custom rules and i want to ask my customers to use
> >    the SecRemoteRules config in order to download this rules.
> >    For example SecRemoteRules serial_number
> >    https://mywebsite.com/modsecrules.php
> >    However i can't find any documentation about the specs in the
> >    communication between apache and my php script. How this work?Â
> >    My programmer can make the php script to check the serial for
> validity,
> >    etc but need to know the apache make the request etc.
> >    Thank you
> >    Â
>
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
> > _______________________________________________
> > mod-security-developers mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> > ModSecurity Services from Trustwave's SpiderLabs:
> > https://www.trustwave.com/spiderLabs.php
>
>
> --
> ModSecurity courses Oct 2017 in London and Zurich
> https://www.feistyduck.com/training/modsecurity-training-course
> https://www.feistyduck.com/books/modsecurity-handbook/
> mailto:chr...@ne...
> twitter: @ChrFolini
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php




-- 
Χρήστος Πελέκης
icehosting.com
τηλ. 212 213 2769
φαξ. 212 213 2869
κιν. 693 888 6166

Re: [Mod-security-developers] server compatible with SecRemoteRules

[Christian F. <chr...@ne...>]

Hello Icehosting,

This is all very much up to you. The ModSecurity Handbook has some additional
details on the requests performed, but basically you construct the service
yourself based on the request that ModSec issues.

Ahoj,

Christian

On Fri, Sep 15, 2017 at 02:58:08PM +0300, icehosting via mod-security-developers wrote:
>    Hello,
>    i have a set of custom rules and i want to ask my customers to use
>    the SecRemoteRules config in order to download this rules.
>    For example SecRemoteRules serial_number
>    https://mywebsite.com/modsecrules.php
>    However i can't find any documentation about the specs in the
>    communication between apache and my php script. How this work? 
>    My programmer can make the php script to check the serial for validity,
>    etc but need to know the apache make the request etc.
>    Thank you
>     

> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot

> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php


-- 
ModSecurity courses Oct 2017 in London and Zurich
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini

[Mod-security-developers] server compatible with SecRemoteRules

[icehosting <in...@ic...>]

Hello,
i have a set of custom rules and i want to ask my customers to use
the SecRemoteRules config in order to download this rules.
For example SecRemoteRules serial_number
https://mywebsite.com/modsecrules.php

However i can't find any documentation about the specs in the communication
between apache and my php script. How this work?
My programmer can make the php script to check the serial for validity, etc
but need to know the apache make the request etc.
Thank you

[Mod-security-developers] Announcement: ModSecurity version 2.9.2

[Felipe C. <FC...@tr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I am very proud to announce ModSecurity version 2.9.2. In 2.9.2 we have
some new features and bug fixes as well as two _security issues_ fixed.

This release, like all releases of 2.9 family, is a combined release
for all bindings/versions that we support: Apache, Nginx, and IIS.
Although Nginx users preferably wants to use libModSecurity [1] with
the ModSecurity-nginx connector [2].

This is the last release of 2.9.2 family which is likely to have new
features as this version is being slowly deprecated in favor of
ModSecurity version 3.

In this release we’ve got two security issues fixed:

 - Allan Boll reported an uninitialized variable that may lead to a
   crash on Windows platform.
 - Brian Adeloye reported an infinite loop on the version of
   libInjection used on ModSecurity 2.9.1.

Thanks for Allan Boll, and Brian Adeloye for the security reports ;)

The complete list of changes is available on our change logs:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.2

The source and binaries (and the respective hashes/signatures) are
available at:
- - https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.2


Thanks to everybody who participate with bug reports, comments and code,
including:
  @victorhora, @defanator, @client9, @bjdijk, @hideaki, @parthasarathi204,
  Daniel Stelter-Gliese, @LukeP21, @mturk, Coty Sutherland, Robert Bost,
  Marc Stern, @bazzadp, Sander Hoentjen, Robert Paprocki, @Rendername,
  @emphazer, Chaim Sanders, Thomas Deutschmann, Michael Kjeldsen,
  Armin Abfalterer, Robert Culyer, Ephraim Vider, @charlymps,
  Christian Folini, Alexey Sintsov.


[1] https://github.com/SpiderLabs/ModSecurity/tree/v3/master
[2] http://www.github.com/SpiderLabs/ModSecurity-nginx/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAllufKgACgkQ5t+wjOixEndelgCghnMYdBQ26AXeRjmc1c8zNTbX
EE0AoJRqbAgSVJAjQus479ZopLKzNkJn
=oONS
-----END PGP SIGNATURE-----

[Mod-security-developers] Compile Mod Security 2.9.1 on HP-UX

[Podlogar S. <Sre...@nl...>]

Dear developers,

I would like to compile Mod Security 2.9.1 for HP-UX.
 HP-UX (Internet Express)<http://h20338.www2.hp.com/hpux11i/cache/324414-0-0-0-121.html> version 2.6 not work on Apache 2.4. (HP has no plans to release a new version of mod_security).

For compile I use (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_Apache):
- gcc 4.7.2, pcre 8.4, xml2 2.94 and
apache 2.4 (HP-UX Apache-based Web Server v.5.02, powered by Apache Tomcat Webmin for 11i v3<https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW502>)

There is no problem with configure, but when I try make I get:
mod_security2.c: In function 'register_hooks':
mod_security2.c:1667:33: error: 'hook_connection_early' undeclared (first use in this function)
mod_security2.c:1667:33: note: each undeclared identifier is reported only once for each function it appears in
*** Error exit code 1

do you have any soulition, help,...?

Srecko












==========================================================================================
To elektronsko sporočilo in vse morebitne priloge so poslovna skrivnost in namenjene izključno naslovniku. Če ste sporočilo prejeli pomotoma, Vas prosimo, da obvestite pošiljatelja, sporočilo pa takoj uničite. Kakršnokoli razkritje, distribucija ali kopiranje vsebine sporočila je izrecno prepovedano. Ni nujno, da to sporočilo odraža uradno stališče družbe.
Elektronsko sporočilo je pregledano z antivirusnim programom.

This e-mail and any attachments may contain confidential and/or privileged information and is intended solely for the addressee. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. This e-mail may not necessarily reflect the official viewpoint of the company.
E-mail message is scanned by Anti-Virus Software.

[Mod-security-developers] SecHash buffer overflow #1198

[<par...@ya...>]

Hi,
I have faced this issue while running regression tests on windows 2012 R2.
Analyzing the code, I found there is buffer overflow of msc_crypt.c # 
hmac() function. I have updated my comments 
https://github.com/SpiderLabs/ModSecurity/issues/1198.

Following changes will fix the issue .
==============================
diff --git a/apache2/msc_crypt.c b/apache2/msc_crypt.c
index e7590b6..66a9dc0 100644
--- a/apache2/msc_crypt.c
+++ b/apache2/msc_crypt.c
@@ -189,7 +189,7 @@ char *hmac(modsec_rec *msr, const char *key, int 
key_len,
      unsigned char hmac_ipad[HMAC_PAD_SIZE], hmac_opad[HMAC_PAD_SIZE];
      unsigned char nkey[APR_SHA1_DIGESTSIZE];
      unsigned char *hmac_key = (unsigned char *) key;
-    char hex_digest[APR_SHA1_DIGESTSIZE * 2], *hmac_digest;
+    char hex_digest[APR_SHA1_DIGESTSIZE * 2 + 1], *hmac_digest;
      const char hex[] = "0123456789abcdef";
      int i;

==============================


Thanks and Regards,
Partha

Re: [Mod-security-developers] segfault when reloading nginx with latest libmodsecurity

[Muenz, M. <m....@sp...>]

Am 27.01.2017 um 14:41 schrieb Muenz, Michael:
> Hi,
>
> perhaps I was too optimistic yesterday! Today I reloaded the nginx with
> the latest source from yesterday and I got a sefault:
>
> Jan 27 14:34:43 waf-1-a-02 kernel: [  820.688227] nginx[2307]: segfault
> at 7f5e2db82000 ip 00007fe1ae76ec3a sp 00007ffc71a62a58 error 4 in
> libc-2.19.so[7fe1ae6ed000+1a1000]
>
>
> ...

Hi,

I had a look at the latest additions and then I saw that master branch 
of ModSecurity-nginx is newer that experimental?
Was there a merge or any note I missed to use the master instead of 
experimental?


Thanks,
Michael

[Mod-security-developers] segfault when reloading nginx with latest libmodsecurity

[Muenz, M. <m....@sp...>]

Hi,

perhaps I was too optimistic yesterday! Today I reloaded the nginx with 
the latest source from yesterday and I got a sefault:

Jan 27 14:34:43 waf-1-a-02 kernel: [  820.688227] nginx[2307]: segfault 
at 7f5e2db82000 ip 00007fe1ae76ec3a sp 00007ffc71a62a58 error 4 in 
libc-2.19.so[7fe1ae6ed000+1a1000]


Then I checked my nginx errlog. I switched productive traffic to this 
machine at 14:24 and at 14:31 the error.log throwed thousands of:

*** Error in `nginx: worker process': free(): invalid pointer: 
0x00007ffc71a61ba8 ***
terminate called after throwing an instance of 'std::bad_alloc'
   what():  std::bad_alloc
terminate called after throwing an instance of 'std::bad_alloc'
   what():  std::bad_alloc
terminate called after throwing an instance of 'std::bad_alloc'
   what():  std::bad_alloc
terminate called after throwing an instance of 'std::bad_alloc'
   what():  std::bad_alloc
2017/01/27 14:31:25 [notice] 2307#2307: signal 17 (SIGCHLD) received
2017/01/27 14:31:25 [alert] 2307#2307: worker process 2339 exited on 
signal 6
2017/01/27 14:31:25 [notice] 2307#2307: start worker process 2727
2017/01/27 14:31:25 [notice] 2307#2307: signal 29 (SIGIO) received
terminate called after throwing an instance of 'std::bad_alloc'
   what():  std::bad_alloc
terminate called after throwing an instance of 'std::bad_alloc'
   what():  std::bad_alloc
*** Error in `nginx: worker process': free(): invalid pointer: 
0x00007ffc71a61ba8 ***
2017/01/27 14:31:25 [notice] 2307#2307: signal 17 (SIGCHLD) received
2017/01/27 14:31:25 [alert] 2307#2307: worker process 2342 exited on 
signal 6
*** Error in `nginx: worker process': munmap_chunk(): invalid pointer: 
0x00007ffc71a61ba8 ***
2017/01/27 14:31:25 [notice] 2307#2307: start worker process 2730
2017/01/27 14:31:25 [notice] 2307#2307: signal 29 (SIGIO) received
2017/01/27 14:31:25 [notice] 2307#2307: signal 17 (SIGCHLD) received
2017/01/27 14:31:25 [alert] 2307#2307: worker process 2345 exited on 
signal 6
2017/01/27 14:31:25 [notice] 2307#2307: start worker process 2731
2017/01/27 14:31:25 [notice] 2307#2307: signal 29 (SIGIO) received
terminate called after throwing an instance of 'std::bad_alloc'
   what():  std::bad_alloc
terminate called after throwing an instance of 'std::bad_alloc'
   what():  std::bad_alloc
terminate called after throwing an instance of 'std::bad_alloc'
   what():  std::bad_alloc
terminate called after throwing an instance of 'std::bad_alloc'
   what():  std::bad_alloc
2017/01/27 14:31:25 [notice] 2307#2307: signal 17 (SIGCHLD) received
2017/01/27 14:31:25 [alert] 2307#2307: worker process 2334 exited on 
signal 6
terminate called after throwing an instance of 'std::bad_alloc'
   what():  std::bad_alloc
*** Error in `nginx: worker process': munmap_chunk(): invalid pointer: 
0x00007ffc71a61ba8 ***
2017/01/27 14:31:25 [notice] 2307#2307: start worker process 2732
2017/01/27 14:31:25 [notice] 2307#2307: signal 29 (SIGIO) received
2017/01/27 14:31:25 [notice] 2307#2307: signal 17 (SIGCHLD) received
2017/01/27 14:31:25 [alert] 2307#2307: worker process 2343 exited on 
signal 6
2017/01/27 14:31:25 [notice] 2307#2307: start worker process 2733



Finally after reloading the nginx process it crashed with the segfault.
I'm quite sure it has something to do with the latest source of MS3.

Any ideas?

Thanks,
Michael

Re: [Mod-security-developers] libmodsecurity and nginx, possible bug with audit.log

[Muenz, M. <m....@sp...>]

Am 26.01.2017 um 11:15 schrieb Muenz, Michael:
> Any ideas?
>
> Michael
>
>
>
>
Ok, I fetched the latest source and recompiled it on a backup machine, 
then the audit.log is silent.
killed nginx on the primary and switched service to primary again and it 
logged again.

So it has nothing to do with nginx -s stop, must be something within the 
code which is already fixed.

Sorry

Michael

[Mod-security-developers] libmodsecurity and nginx, possible bug with audit.log

[Muenz, M. <m....@sp...>]

Hi,

I'm running v3 with the source of 12.12.16 just fine.

Now I had to troubleshoot some stuff found out that the audit.log was 
full of logs. So I decided to set SecAuditLogRelevantStatus "403" and 
restarted nginx. The result was the same! Then I set "SecAuditEngine 
Off", restarted nginx and again, the audit.log gets new entries.

Nginx is N+ based on 1.11.5

nginx version: nginx/1.11.5 (nginx-plus-r11)
built by gcc 4.9.2 (Debian 4.9.2-10)
built with OpenSSL 1.0.1t  3 May 2016
TLS SNI support enabled
configure arguments: --build=nginx-plus-r11 --prefix=/etc/nginx 
--sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules 
--conf-path=/etc/nginx/nginx.conf 
--error-log-path=/var/log/nginx/error.log 
--http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid 
--lock-path=/var/run/nginx.lock 
--http-client-body-temp-path=/var/cache/nginx/client_temp 
--http-proxy-temp-path=/var/cache/nginx/proxy_temp 
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp 
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp 
--http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx 
--group=nginx --with-compat --with-file-aio --with-threads 
--with-http_addition_module --with-http_auth_jwt_module 
--with-http_auth_request_module --with-http_dav_module 
--with-http_f4f_module --with-http_flv_module --with-http_gunzip_module 
--with-http_gzip_static_module --with-http_hls_module 
--with-http_mp4_module --with-http_random_index_module 
--with-http_realip_module --with-http_secure_link_module 
--with-http_session_log_module --with-http_slice_module 
--with-http_ssl_module --with-http_stub_status_module 
--with-http_sub_module --with-http_v2_module --with-mail 
--with-mail_ssl_module --with-stream --with-stream_realip_module 
--with-stream_ssl_module --with-stream_ssl_preread_module 
--with-cc-opt='-g -O2 -fstack-protector-strong -Wformat 
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' 
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed'

I have multiple vhosts and enable it via:

server {
     listen XXX:80;
     server_name XXX;
     modsecurity on;
     modsecurity_rules_file /etc/nginx/modsec/main.conf;
         modsecurity_rules 'SecRuleRemoveById 200002
                        SecRuleRemoveById 980130
                        SecRuleRemoveById 920130
                         ...

Main.conf is:

Include "/etc/nginx/modsec/modsecurity.conf"

# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"

# OWASP CRS v3 rules
#Include "/etc/nginx/modsec/owasp-v3-3/crs-setup.conf"
#Include "/etc/nginx/modsec/owasp-v3-3/rules_own2/*.conf"

Include "/etc/nginx/modsec/owasp-modsecurity-crs-3.0.0/crs-setup.conf"
Include "/etc/nginx/modsec/owasp-modsecurity-crs-3.0.0/rules/*.conf"


And in modsecurity.conf:

...

# -- Audit log configuration 
-------------------------------------------------

# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditEngine Off
#SecAuditEngine RelevantOnly
#SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogRelevantStatus "403"

# Log everything we know about a transaction.
#SecAuditLogParts ABIJDEFHZ
SecAuditLogParts ABCDEFHIJKZ

# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log

...

This is how I restart it:

nginx -s stop
nginx


Any ideas?

Michael




-- 
www.routerperformance.net
- Cisco, Linux, Networks

Re: [Mod-security-developers] SecRemoteRule behaviour with Nginx and MS3

[Muenz, M. <m....@sp...>]

Am 12.12.2016 um 22:59 schrieb Felipe Costa:
> Hi Michael,
>
> What do you have in your configuration file?
>
> Is it is something like:
>
> http {
>    server { }
>    server { }
> }
>
> Or
>
> http {
>    server {}
> }
>
> http {
>    server {}
> }
>
>
> For the first case you can specify the ModSecurity configuration inside
> the http tag. The second one is something that we have to work on it.
> I did not thought about this second case when I was designing this
> configuration thing. It seems like it is a common approach in the distros,
> to split up the configuration into multiple files.
>
> Let me check if there is an option on nginx to specify a global config
> entry, that can hit multiple sites without being specified in the root.
> My guess is that other `addons’ already hit this very same issue.
>
> The download is just one of the problems, we also have to take into
> consideration that those multiple configuration are residing in memory...
> consuming memory without really need to.
>
>
Hi Felipe,

In my main nginx.conf ist just the http {} with all the backend servers 
(it's a reverse proxy).
All the virtual hosts are stored in a subdirectory only with the server 
{} stuff and were included within the http {}from above.
So then it must be the first case, but when I set this in http {]
     modsecurity on;
     modsecurity_rules_file /etc/nginx/modsec/main.conf;
     modsecurity_rules_remote key 
https://dashboard.modsecurity.org/rules/download/plain;

Nothing happens. nginx -t doesn't report any problems but when I reload 
nginx and follow the traffic with tcpdump, it doesn't try to download 
the rules.

Thanks,
Michael

Re: [Mod-security-developers] SecRemoteRule behaviour with Nginx and MS3

[Felipe C. <FC...@tr...>]

Hi Michael,

What do you have in your configuration file?

Is it is something like:

http {
  server { }
  server { }
}

Or

http {
  server {}
}

http {
  server {}
}


For the first case you can specify the ModSecurity configuration inside
the http tag. The second one is something that we have to work on it.
I did not thought about this second case when I was designing this
configuration thing. It seems like it is a common approach in the distros,
to split up the configuration into multiple files.

Let me check if there is an option on nginx to specify a global config
entry, that can hit multiple sites without being specified in the root.
My guess is that other `addons’ already hit this very same issue.

The download is just one of the problems, we also have to take into
consideration that those multiple configuration are residing in memory...
consuming memory without really need to.


Br.,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>








On 12/12/16, 6:18 PM, "Muenz, Michael" <m....@sp...> wrote:

>Hi,
>
>with Nginx and the latest MS3 the restart/reload of ModSecurity takes
>ages (around 5min) when Commercial Rules are enabled in modsecurity.conf
>via SecRemoteRule.
>
>Finally I *thought* that I found the solution to enable it via
>modsecurity_rules_remote directive from nginx. Now the reload takes
>about 15sec.
>
>The problem is, I'm running 20 small virtual hosts on the nginx instance
>and for every instance the rules are downloaded again and again. Now I'm
>back at the 5min.
>
>I can't imagine that this behavior is expected by the founder because I
>even can't start nginx via init/systemd because it times out. Only when
>starting the daemon with /usb/sbin/nginx it starts.
>
>
>Isn't there a way to download the rules one time and let all sites
>reference to it? I know I could/should ask the Trustwave support, but
>I'm sure they will get back to you :)
>
>
>Thanks,
>
>Michael
>
>
>
>------------------------------------------------------------------------------
>Check out the vibrant tech community on one of the world's most
>engaging tech sites, http://scanmail.trustwave.com/?c=4062&d=vJTP2MkZt9f34BtiRZoc8XeeIhUD1pXrwMKjzeouqA&s=5&u=http%3a%2f%2fSlashDot%2eorg%21 http://scanmail.trustwave.com/?c=4062&d=vJTP2MkZt9f34BtiRZoc8XeeIhUD1pXrwMH-xu8o_Q&s=5&u=http%3a%2f%2fsdm%2elink%2fslashdot
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>https://scanmail.trustwave.com/?c=4062&d=vJTP2MkZt9f34BtiRZoc8XeeIhUD1pXrwJapzOl9rg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] SecRemoteRule behaviour with Nginx and MS3

[Muenz, M. <m....@sp...>]

Hi,

with Nginx and the latest MS3 the restart/reload of ModSecurity takes 
ages (around 5min) when Commercial Rules are enabled in modsecurity.conf 
via SecRemoteRule.

Finally I *thought* that I found the solution to enable it via 
modsecurity_rules_remote directive from nginx. Now the reload takes 
about 15sec.

The problem is, I'm running 20 small virtual hosts on the nginx instance 
and for every instance the rules are downloaded again and again. Now I'm 
back at the 5min.

I can't imagine that this behavior is expected by the founder because I 
even can't start nginx via init/systemd because it times out. Only when 
starting the daemon with /usb/sbin/nginx it starts.


Isn't there a way to download the rules one time and let all sites 
reference to it? I know I could/should ask the Trustwave support, but 
I'm sure they will get back to you :)


Thanks,

Michael

Re: [Mod-security-developers] ModSecurity V2 as a dynamic nginx module

[Muenz, M. <m....@sp...>]

Am 12.12.2016 um 12:28 schrieb Felipe Costa:
> Hi Michael,
>
>
> I am glad that you have v3 working. If you have any question, we will be glad to help ;)
>
>
In fact I have another one, but I'll open a new thread for this.

Thanks,
Michael