mod-security-developers — Development discussion about mod_security

Re: [Mod-security-developers] ModSecurity V2 as a dynamic nginx module

[Felipe C. <FC...@tr...>]

Hi Michael,


I am glad that you have v3 working. If you have any question, we will be glad to help ;)


Br.,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>








On 12/11/16, 3:21 AM, "Muenz, Michael" <m....@sp...> wrote:

>Am 10.12.2016 um 14:40 schrieb Muenz, Michael:
>> Am 10.12.2016 um 14:03 schrieb Muenz, Michael:
>>> Am 09.12.2016 um 12:59 schrieb Felipe Costa:
>>>> Hi Michael,
>>>>
>>>> You may want to upgrade your libModSecurity to the most recent version, this
>>>> specific issue was fixed a while ago.
>>>>
>>> Hi Felipe,
>>>
>>> were there some major changes? I did a fresh setup like in this article:
>>> http://scanmail.trustwave.com/?c=4062&d=ovDM2FD_rCATjLhLm3JQLa2-N7PhoJ2yBEe-t0HnEg&s=5&u=http%3a%2f%2fwww%2erouterperformance%2enet%2fhowtos%2fsetup-modsecurity-3-and-nginx-in-debian-8%2f
>>>
>>> This worked with source from mid november but now I get a
>>> nginx: [emerg] module
>>> "/etc/nginx/modules/ngx_http_modsecurity_module.so" is not binary
>>> compatible in /etc/nginx/nginx.conf:8
>>>
>>> Source from nginx is the some, don't know why it doesn't work now. :(
>>>
>>>
>>
>> Doooh ... forget my mail. I forgot that with N+ you have to use the same
>> configure params.
>> Now it works really fine!!!
>>
>> The only problem I still have is, that with ModSecurity Commercial
>> Rules, it takes about 5 minutes to restart/reload nginx.
>>
>>
>
>Sorry for spamming but I fixed this one too.
>With nginx (ATM) you don't have to use SecRuleRemote in MS config,
>instead just use the variable modsecurity_rules_remote described in
>https://scanmail.trustwave.com/?c=4062&d=ovDM2FD_rCATjLhLm3JQLa2-N7PhoJ2yBEHssBe3TA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity-nginx
>
>
>------------------------------------------------------------------------------
>Developer Access Program for Intel Xeon Phi Processors
>Access to Intel Xeon Phi processor-based developer platforms.
>With one year of Intel Parallel Studio XE.
>Training and support from Colfax.
>Order your platform today.http://sdm.link/xeonphi
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>https://scanmail.trustwave.com/?c=4062&d=ovDM2FD_rCATjLhLm3JQLa2-N7PhoJ2yBEHuvUCzEQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] ModSecurity V2 as a dynamic nginx module

[Muenz, M. <m....@sp...>]

Am 10.12.2016 um 14:40 schrieb Muenz, Michael:
> Am 10.12.2016 um 14:03 schrieb Muenz, Michael:
>> Am 09.12.2016 um 12:59 schrieb Felipe Costa:
>>> Hi Michael,
>>>
>>> You may want to upgrade your libModSecurity to the most recent version, this
>>> specific issue was fixed a while ago.
>>>
>> Hi Felipe,
>>
>> were there some major changes? I did a fresh setup like in this article:
>> http://www.routerperformance.net/howtos/setup-modsecurity-3-and-nginx-in-debian-8/
>>
>> This worked with source from mid november but now I get a
>> nginx: [emerg] module
>> "/etc/nginx/modules/ngx_http_modsecurity_module.so" is not binary
>> compatible in /etc/nginx/nginx.conf:8
>>
>> Source from nginx is the some, don't know why it doesn't work now. :(
>>
>>
>
> Doooh ... forget my mail. I forgot that with N+ you have to use the same
> configure params.
> Now it works really fine!!!
>
> The only problem I still have is, that with ModSecurity Commercial
> Rules, it takes about 5 minutes to restart/reload nginx.
>
>

Sorry for spamming but I fixed this one too.
With nginx (ATM) you don't have to use SecRuleRemote in MS config, 
instead just use the variable modsecurity_rules_remote described in 
https://github.com/SpiderLabs/ModSecurity-nginx

Re: [Mod-security-developers] ModSecurity V2 as a dynamic nginx module

[Muenz, M. <m....@sp...>]

Am 10.12.2016 um 14:03 schrieb Muenz, Michael:
> Am 09.12.2016 um 12:59 schrieb Felipe Costa:
>> Hi Michael,
>>
>> You may want to upgrade your libModSecurity to the most recent version, this
>> specific issue was fixed a while ago.
>>
> Hi Felipe,
>
> were there some major changes? I did a fresh setup like in this article:
> http://www.routerperformance.net/howtos/setup-modsecurity-3-and-nginx-in-debian-8/
>
> This worked with source from mid november but now I get a
> nginx: [emerg] module
> "/etc/nginx/modules/ngx_http_modsecurity_module.so" is not binary
> compatible in /etc/nginx/nginx.conf:8
>
> Source from nginx is the some, don't know why it doesn't work now. :(
>
>


Doooh ... forget my mail. I forgot that with N+ you have to use the same 
configure params.
Now it works really fine!!!

The only problem I still have is, that with ModSecurity Commercial 
Rules, it takes about 5 minutes to restart/reload nginx.


Thanks
Michael

Re: [Mod-security-developers] ModSecurity V2 as a dynamic nginx module

[Muenz, M. <m....@sp...>]

Am 09.12.2016 um 12:59 schrieb Felipe Costa:
> Hi Michael,
>
> You may want to upgrade your libModSecurity to the most recent version, this
> specific issue was fixed a while ago.
>

Hi Felipe,

were there some major changes? I did a fresh setup like in this article:
http://www.routerperformance.net/howtos/setup-modsecurity-3-and-nginx-in-debian-8/

This worked with source from mid november but now I get a
nginx: [emerg] module 
"/etc/nginx/modules/ngx_http_modsecurity_module.so" is not binary 
compatible in /etc/nginx/nginx.conf:8

Source from nginx is the some, don't know why it doesn't work now. :(

Michael

Re: [Mod-security-developers] ModSecurity V2 as a dynamic nginx module

[Felipe C. <FC...@tr...>]

Hi Kestutis,

Did you ever tried the ModSecurity-nginx connector with v3? Any specific reason why not to use it?

I never tried to compile the v2 into a dynamic module. I would suggest to look at the ModSecurity-nginx module, it should be similar -
https://github.com/SpiderLabs/ModSecurity-nginx/blob/master/config

Br.,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>


From: Kestutis Armalis <kes...@ze...<mailto:kes...@ze...>>
Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Date: Tuesday, December 6, 2016 at 11:43 AM
To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Subject: [Mod-security-developers] ModSecurity V2 as a dynamic nginx module

Hi all,

We have been trying to test and try to "compile" ModSecurity V2 as a dynamic module for Nginx.

Nginx version: nginx/1.11.5 (nginx-plus-r11)

We configure the ModSecurity V2 with these parameters:
CFLAGS="$CFLAGS -fPIC" ./configure --enable-standalone-module --disable-apache2-module --enable-pcre-jit

Then we amend the resulting {{ModSecFolder}}/nginx/modsecurity/config file by deleting everything except for CFLAGS and CORE_LIBS variables as well as adding these lines:

ngx_addon_name=ngx_http_modsecurity

NGX_ADDON_SRCS="$NGX_ADDON_SRCS \
                $ngx_addon_dir/ngx_http_modsecurity.c \
                $ngx_addon_dir/apr_bucket_nginx.c \
                $ngx_addon_dir/ngx_pool_context.c"

NGX_ADDON_DEPS="$NGX_ADDON_DEPS \
                $ngx_addon_dir/apr_bucket_nginx.h \
                $ngx_addon_dir/ngx_pool_context.h"

CORE_LIBS="$ngx_addon_dir/../../standalone/.libs/standalone.a $CORE_LIBS"

CORE_INCS="$CORE_INCS \
        $ngx_addon_dir \
        $ngx_addon_dir/../../standalone \
        $ngx_addon_dir/../../apache2"

ngx_module_type=HTTP_AUX_FILTER
ngx_module_name="$ngx_addon_name"
ngx_module_srcs="$NGX_ADDON_SRCS"
ngx_module_deps="$NGX_ADDON_DEPS"
ngx_module_libs="$CORE_LIBS"
ngx_module_incs="$CORE_INCS"

. auto/module

Then we build it using the nginx's dynamic module creation instructions alongside with a few other modules.
The "make modules" command actually works and it produces a dynamic library that you can load using the config. It even checks for configuration errors and reports if there are any issues.

However,
upon runtime whenever the rules need to be actually run, this happens:

Program received signal SIGFPE, Arithmetic exception.
0x00007ffff5dc14a2 in ngx_pool_set_ctx (pool=0x7fffef051c00, index=104, data=data@entry=0x7fffef053278)
    at {{MODSECPATH}}/nginx/modsecurity/ngx_pool_context.c:131
131                sizeof(hash)) % ngx_pool_context_hash_size;

Looks like it's a division by 0, where ngx_pool_context_hash_size is a 0 and it seems never to be set via ngx_pool_context_init_conf function.

Our question is basically this: Has anyone tried and succeeded with compiling a version of ModSecurity for nginx without using the currently in development V3 (with the separate connector) ? Even if the dynamic module is for the open source community version of nginx (rather than the ngnix+).

Many thanks,
Kestutis Armalis

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] ModSecurity V2 as a dynamic nginx module

[Felipe C. <FC...@tr...>]

Hi Michael,

You may want to upgrade your libModSecurity to the most recent version, this
specific issue was fixed a while ago.

Br.,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>








On 12/7/16, 4:53 AM, "Muenz, Michael" <m....@sp...> wrote:

>Am 06.12.2016 um 15:43 schrieb Kestutis Armalis:
>>
>> Our question is basically this: Has anyone tried and succeeded with
>> compiling a version of ModSecurity for nginx without using the
>> currently in development V3 (with the separate connector) ? Even if
>> the dynamic module is for the open source community version of nginx
>> (rather than the ngnix+).
>
>No, but I've compiled v3 with 1.11.5 community and successfully loaded
>the module within nginx+.
>There was segfault when stopping the daemon, perhaps it's already fixed
>cause I had a call with N+ support and they wanted to get in touch with
>the MS team.
>
>I'm running the commercial WAF module from N+. It's stable but there are
>some known issues because it's based on early RC1.
>
>Michael
>
>------------------------------------------------------------------------------
>Developer Access Program for Intel Xeon Phi Processors
>Access to Intel Xeon Phi processor-based developer platforms.
>With one year of Intel Parallel Studio XE.
>Training and support from Colfax.
>Order your platform today.http://sdm.link/xeonphi
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>https://scanmail.trustwave.com/?c=4062&d=jsDH2O68SMPZKgPxK4jY1hA7mq_uCedtAWC1mTTsQA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] ModSecurity V2 as a dynamic nginx module

[Muenz, M. <m....@sp...>]

Am 06.12.2016 um 15:43 schrieb Kestutis Armalis:
>
> Our question is basically this: Has anyone tried and succeeded with 
> compiling a version of ModSecurity for nginx without using the 
> currently in development V3 (with the separate connector) ? Even if 
> the dynamic module is for the open source community version of nginx 
> (rather than the ngnix+).

No, but I've compiled v3 with 1.11.5 community and successfully loaded 
the module within nginx+.
There was segfault when stopping the daemon, perhaps it's already fixed 
cause I had a call with N+ support and they wanted to get in touch with 
the MS team.

I'm running the commercial WAF module from N+. It's stable but there are 
some known issues because it's based on early RC1.

Michael

[Mod-security-developers] ModSecurity V2 as a dynamic nginx module

[Kestutis A. <kes...@ze...>]

Hi all,

We have been trying to test and try to "compile" ModSecurity V2 as a
dynamic module for Nginx.

*Nginx version: nginx/1.11.5 (nginx-plus-r11)*

We configure the ModSecurity V2 with these parameters:
*CFLAGS="$CFLAGS -fPIC" ./configure --enable-standalone-module
--disable-apache2-module --enable-pcre-jit*

Then we amend the resulting {{ModSecFolder}}/nginx/modsecurity/config file
by deleting everything except for CFLAGS and CORE_LIBS variables as well as
adding these lines:


























*ngx_addon_name=ngx_http_modsecurityNGX_ADDON_SRCS="$NGX_ADDON_SRCS
\                $ngx_addon_dir/ngx_http_modsecurity.c \
$ngx_addon_dir/apr_bucket_nginx.c \
$ngx_addon_dir/ngx_pool_context.c"NGX_ADDON_DEPS="$NGX_ADDON_DEPS
\                $ngx_addon_dir/apr_bucket_nginx.h \
$ngx_addon_dir/ngx_pool_context.h"CORE_LIBS="$ngx_addon_dir/../../standalone/.libs/standalone.a
$CORE_LIBS"CORE_INCS="$CORE_INCS \        $ngx_addon_dir \
$ngx_addon_dir/../../standalone \
$ngx_addon_dir/../../apache2"ngx_module_type=HTTP_AUX_FILTERngx_module_name="$ngx_addon_name"ngx_module_srcs="$NGX_ADDON_SRCS"ngx_module_deps="$NGX_ADDON_DEPS"ngx_module_libs="$CORE_LIBS"ngx_module_incs="$CORE_INCS".
auto/module*

Then we build it using the nginx's dynamic module creation instructions
alongside with a few other modules.
The *"make modules" *command actually works and it produces a dynamic
library that you can load using the config. It even checks for
configuration errors and reports if there are any issues.

However,
upon runtime whenever the rules need to be actually run, this happens:




*Program received signal SIGFPE, Arithmetic exception.0x00007ffff5dc14a2 in
ngx_pool_set_ctx (pool=0x7fffef051c00, index=104,
data=data@entry=0x7fffef053278)    at
{{MODSECPATH}}/nginx/modsecurity/ngx_pool_context.c:131131
sizeof(hash)) % ngx_pool_context_hash_size;*

Looks like it's a division by 0, where ngx_pool_context_hash_size is a 0
and it seems never to be set via *ngx_pool_context_init_conf* function.

Our question is basically this: Has anyone tried and succeeded with
compiling a version of ModSecurity for nginx without using the currently in
development V3 (with the separate connector) ? Even if the dynamic module
is for the open source community version of nginx (rather than the ngnix+).

Many thanks,
Kestutis Armalis

Re: [Mod-security-developers] request fork capability in apache

[Christian F. <chr...@ne...>]

Hi there,

On Thu, Nov 17, 2016 at 04:26:15PM +0000, D. Pati wrote:
> We have need to fork requests from our Apache proxyservers while we
> migrate our infrastructure. We were thinking of using ModSecurity
> module and adding a capability to forward copy of request to our new
> url. We do not need to handle response at this time from the forked
> request.  my question is if it is possible to do that using
> modsecurity.  If so, where is the good entry for this code change? Or
> should I be looking at different module or solution which are better
> for this purpose?thanks

I think this is something for a lua script which can be called easily
from withing ModSecurity.

Unfortunately, the ModSecurity/Lua documentation is not very well
developed, but I am quite sure this will work.

Ahoj,

Christian

> 
> ------------------------------------------------------------------------------
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

-- 
https://www.feistyduck.com/training/modsecurity-training-course
mailto:chr...@ne...
twitter: @ChrFolini

[Mod-security-developers] request fork capability in apache

[D. P. <dhi...@ya...>]

Hello,

We have need to fork requests from our Apache proxyservers while we migrate our infrastructure. We were thinking of using ModSecurity module and adding a capability to forward copy of request to our new url. We do not need to handle response at this time from the forked request.
my question is if it is possible to do that using modsecurity.  If so, where is the good entry for this code change? Or should I be looking at different module or solution which are better for this purpose?thanks

[Mod-security-developers] Renaming libModSecurity branch to v3/master

[Felipe C. <FC...@tr...>]

Hi,

Few weeks ago I did some changes on the structure for the ModSecurity's git repository.
Back then I have created this `v3/master' branch which was in sync with the branch
`libmodsecurity'.

To make our repository even cleaner I am going to delete the `libmodsecurity' branch.
Please use the v3/master instead.

All the compilation recipes are already changed to v3/master.

You can update your local branch to track origin/v3/master:
$ git fetch
$ git branch libmodsecurity --set-upstream-to origin/v3/master



Thank you,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>



________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] Fwd:

[Amlaan K. <aml...@gm...>]

I have created a handler in Apache which is supposed to parse the URL
entered. If the conditions defined by the handler are satisfied, the
handler returns DECLINED AND the page requested is open. If not, the
handler displays "Rejected". However, the problem I am facing is that when
I am trying to display a PHP page, the PHP handler does not help execute
the PHP code after my handler returns DECLINED.
I feel that using the XML parser affects my program performance. Can I use
mod_security to execute this module? If yes, how do I do so?

Re: [Mod-security-developers] Directive Names in NginX and IIS

[Christian F. <chr...@ne...>]

Great. Thanks.

As I stated in my first message, the sourcecode says it's
SecGeoLookupDB and SecGsbLookupDB, while the documentation
consistently speaks of ...Db. Db would also be consistent with the
naming schema used throughout the other directives, operators, actions
etc. So I wonder if the sourcecode should not follow the schema.
Not that it would really matter as long as the parser is case
insensitive... ;)

Ahoj,

Christian



On Mon, Sep 05, 2016 at 03:51:57PM +0000, Felipe Costa wrote:
> 
> Hi Christian,
> 
> 
> 
> On 9/5/16, 11:14 AM, "Christian Folini" <chr...@ne...> wrote:
> 
> (…)
> 
> >With Apache, it is the Apache directive parser which guarantees that
> >directives are case insensitive. So I was not sure for the other
> >cases. But you confirm it's the same with IIS and nginX (and
> >libmodsec, where you made sure it works consitently)?
> >
> 
> 
> For the apache version, like you cited, we use the Apache parser. For the standalone
> modules (2.x family) we use standalone parser which is basically the same thing as
> Apache does: [1]. The libmodsecurity implementation is the most different one, that
> involves a grammar.
> 
> I would say that if one specific version is acting different from the others we have a bug.
> Since the Apache is the first one, we have to respect what we have there.
> 
> [1] https://github.com/SpiderLabs/ModSecurity/blob/master/standalone/config.c
> 
> 
> 
> Br.,
> Felipe “Zimmerle” Costa
> Security Researcher, Lead Developer ModSecurity.
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
> 
> 
> 
> 
> 
> ________________________________
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
> ------------------------------------------------------------------------------
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

-- 
https://www.feistyduck.com/training/modsecurity-training-course
mailto:chr...@ne...
twitter: @ChrFolini

Re: [Mod-security-developers] Directive Names in NginX and IIS

[Felipe C. <FC...@tr...>]

Hi Christian,



On 9/5/16, 11:14 AM, "Christian Folini" <chr...@ne...> wrote:

(…)

>With Apache, it is the Apache directive parser which guarantees that
>directives are case insensitive. So I was not sure for the other
>cases. But you confirm it's the same with IIS and nginX (and
>libmodsec, where you made sure it works consitently)?
>


For the apache version, like you cited, we use the Apache parser. For the standalone
modules (2.x family) we use standalone parser which is basically the same thing as
Apache does: [1]. The libmodsecurity implementation is the most different one, that
involves a grammar.

I would say that if one specific version is acting different from the others we have a bug.
Since the Apache is the first one, we have to respect what we have there.

[1] https://github.com/SpiderLabs/ModSecurity/blob/master/standalone/config.c



Br.,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.
Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>





________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] Directive Names in NginX and IIS

[Christian F. <chr...@ne...>]

Hello Felipe,

Thank you for your swift response.

On Mon, Sep 05, 2016 at 01:58:24PM +0000, Felipe Costa wrote:
> Good question. The directive names in all versions (including nginx, iis and libModSecurity)
> should be treated in the same way.

With Apache, it is the Apache directive parser which guarantees that
directives are case insensitive. So I was not sure for the other
cases. But you confirm it's the same with IIS and nginX (and
libmodsec, where you made sure it works consitently)?

Ahoj,

Christian


-- 
Ignorance, allied with power, is the most ferocious enemy justice can
have.
-- James Baldwin

Re: [Mod-security-developers] Directive Names in NginX and IIS

[Felipe C. <FC...@tr...>]

Hi Christian,


Good question. The directive names in all versions (including nginx, iis and libModSecurity)
should be treated in the same way.


Here is the piece of code from libModSecurity for this specific directive:
https://github.com/SpiderLabs/ModSecurity/blob/libmodsecurity/src/parser/seclang-scanner.ll#L80

Notice the `?i:’, this is the key to make the directive case insensitive.

Br.,

Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>








On 9/5/16, 10:39 AM, "Christian Folini" <chr...@ne...> wrote:

>Hi there,
>
>The sourcecode defines the function
>SecGeoLookupDB.
>However, all references in the documentation point to
>SecGeoLookupDb.
>
>Apache directives are case insensitive. So this is no big deal.
>But what's the matter on NginX and IIS. Do both variants work there?
>Or has the documentation to be adopted. And how about v3?
>
>Ahoj,
>
>Christian
>
>
>--
>https://scanmail.trustwave.com/?c=4062&d=yfXN15-hXAx9I7-upzFOf1_QB-ShRJISXePxha0Rmw&s=5&u=https%3a%2f%2fwww%2efeistyduck%2ecom%2ftraining%2fmodsecurity-training-course
>mailto:chr...@ne...
>twitter: @ChrFolini
>
>------------------------------------------------------------------------------
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>https://scanmail.trustwave.com/?c=4062&d=yfXN15-hXAx9I7-upzFOf1_QB-ShRJISXef1iqtFyg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] Directive Names in NginX and IIS

[Christian F. <chr...@ne...>]

Hi there,

The sourcecode defines the function 
SecGeoLookupDB. 
However, all references in the documentation point to 
SecGeoLookupDb.

Apache directives are case insensitive. So this is no big deal.
But what's the matter on NginX and IIS. Do both variants work there?
Or has the documentation to be adopted. And how about v3?

Ahoj,

Christian


-- 
https://www.feistyduck.com/training/modsecurity-training-course
mailto:chr...@ne...
twitter: @ChrFolini

Re: [Mod-security-developers] Fwd: ModSecurity for Java

[Felipe C. <FC...@tr...>]

Hi John,

The ModSecurity for Java is maintained here:
https://github.com/SpiderLabs/ModSecurity/tree/v2/exp/ModSecurity_for_Java

Br.,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>






From:  john mas <joj...@gm...>
Reply-To:  "mod...@li..." <mod...@li...>
Date:  Sunday, September 4, 2016 at 9:07 AM
To:  "mod...@li..." <mod...@li...>
Subject:  [Mod-security-developers] Fwd: ModSecurity for Java


Hi,

Was ModSecurity for Java ever released?

Last update is:
https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-for-Java---BETA-Testers-Needed/


Can anyone please update.





________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] Fwd: ModSecurity for Java

[john m. <joj...@gm...>]

Hi,

Was ModSecurity for Java ever released?

Last update is:
https://www.trustwave.com/Resources/SpiderLabs-Blog/
ModSecurity-for-Java---BETA-Testers-Needed/

Can anyone please update.

[Mod-security-developers] input_filter use modsecurity_request_body_retrieve incorrectly

[T. L. O. <mwa...@gm...>]

As to the subject, the usage of function modsecurity_request_body_retrieve
in another function input_filter is incorrect.

If the return value of modsecurity_request_body_retrieve is 1, it means
there are more chunks left, so it should be called again until it doesn't
return 1.

[Mod-security-developers] ModSecurity (-dev) meeting

[Felipe C. <FC...@tr...>]

Hi,

I would like to invite you guys to our next developer meeting.
The main subjects to be discussed are:

1. Open Issues that demand discussion;
2. Open Pull requests;
3. Repository reorganization to hold v2 and v3 (initial suggestions
   By Jorge Pereira, to be shared before the meeting);
4. Comparing the results running OWASP CRS between ModSecurity
   version 3 and version 2;
4.1. Possible release candidate for version 3.

As usual, the agenda is also open for discussion.

The meeting will be held at #modsecurity channel at FreeNode.

Please use Doodle to tell the best date/time for you:
http://doodle.com/poll/uyawkdpq5awxupwh


Br.,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>



________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] initcol with value from XML parser?

[Altgilbers, I. M <Ian...@tu...>]

Ahh.. I didn’t see the users list. I'll post my question to that list.

I’ll also try your suggestion…  seems like it could work.

Thanks,

Ian


On Jul 5, 2016, at 11:05 PM, Christian Folini <chr...@ne...<mailto:chr...@ne...>> wrote:

Ian,

This is a question which is better addresses to modsec users.

I think this would work if you would save the XML value in a
temporary variable and use that variable with initcol afterwards.

I have not tested this, but I do not see why it would not work
that way, while your construct is smart, but maybe too difficult
for ModSec.

Ahoj,

Christian

On Tue, Jul 05, 2016 at 08:48:56PM +0000, Altgilbers, Ian M wrote:
Is it possible to use values from the XML parser with initcol?

I have a WordPress server that is getting hit from distributed IPs, attempting to brute force a few accounts via xmlrpc.php.   These are domain accounts, so the users end up with locked accounts, unable to do other work.  There are some unsophisticated rules out there would that block brute force attackers by IP, but I need to block by username as well.

I can use the XML parser to get variables to evaluate…  This rule properly blocks requests with username “admin”:
SecRule XML:/methodCall/params/param[1]/value "admin" "phase:2,id:19302,deny,log,msg:'XMLRPC - admin not allowed'"

But  I’m not having any luck using initcol…
SecAction "initcol:user=%{XML:/methodCall/params/param[1]/value},phase:2,pass,nolog,id:000001"
gives me:
Failed to resolve macro %{xml:/methodcall/params/param[1]/value}: Unknown variable: xml:/methodcall/params/param[1]/value


If I leave off the Xpath query, I don’t get an error, but the user object ends up being the whole XML document, which doesn’t help.   Any ideas?






Ian Altgilbers
Senior Systems Administrator
Educational Technology Services
Tufts Technology Services
Tufts University

Phone: 617.627.0388
http://it.tufts.edu/ests


------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape

_______________________________________________
mod-security-developers mailing list
mod...@li...<mailto:mod...@li...>
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php


--
ModSecurity Training in London: Sep 22/23, 2016
https://www.feistyduck.com/training/modsecurity-training-course
mailto:chr...@ne...
twitter: @ChrFolini

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
mod-security-developers mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php

Ian Altgilbers
Senior Systems Administrator
Educational Technology Services
Tufts Technology Services
Tufts University

Phone: 617.627.0388
http://it.tufts.edu/ests

Re: [Mod-security-developers] initcol with value from XML parser?

[Christian F. <chr...@ne...>]

Ian,

This is a question which is better addresses to modsec users.

I think this would work if you would save the XML value in a 
temporary variable and use that variable with initcol afterwards.

I have not tested this, but I do not see why it would not work
that way, while your construct is smart, but maybe too difficult
for ModSec.

Ahoj,

Christian

On Tue, Jul 05, 2016 at 08:48:56PM +0000, Altgilbers, Ian M wrote:
> Is it possible to use values from the XML parser with initcol?
> 
> I have a WordPress server that is getting hit from distributed IPs, attempting to brute force a few accounts via xmlrpc.php.   These are domain accounts, so the users end up with locked accounts, unable to do other work.  There are some unsophisticated rules out there would that block brute force attackers by IP, but I need to block by username as well.
> 
> I can use the XML parser to get variables to evaluate…  This rule properly blocks requests with username “admin”:
> SecRule XML:/methodCall/params/param[1]/value "admin" "phase:2,id:19302,deny,log,msg:'XMLRPC - admin not allowed'"
> 
> But  I’m not having any luck using initcol…
> SecAction "initcol:user=%{XML:/methodCall/params/param[1]/value},phase:2,pass,nolog,id:000001"
> gives me:
> Failed to resolve macro %{xml:/methodcall/params/param[1]/value}: Unknown variable: xml:/methodcall/params/param[1]/value
> 
> 
> If I leave off the Xpath query, I don’t get an error, but the user object ends up being the whole XML document, which doesn’t help.   Any ideas?
> 
> 
> 
> 
> 
> 
> Ian Altgilbers
> Senior Systems Administrator
> Educational Technology Services
> Tufts Technology Services
> Tufts University
> 
> Phone: 617.627.0388
> http://it.tufts.edu/ests
> 

> ------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape

> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php


-- 
ModSecurity Training in London: Sep 22/23, 2016
https://www.feistyduck.com/training/modsecurity-training-course
mailto:chr...@ne...
twitter: @ChrFolini

[Mod-security-developers] initcol with value from XML parser?

[Altgilbers, I. M <Ian...@tu...>]

Is it possible to use values from the XML parser with initcol?

I have a WordPress server that is getting hit from distributed IPs, attempting to brute force a few accounts via xmlrpc.php.   These are domain accounts, so the users end up with locked accounts, unable to do other work.  There are some unsophisticated rules out there would that block brute force attackers by IP, but I need to block by username as well.

I can use the XML parser to get variables to evaluate…  This rule properly blocks requests with username “admin”:
SecRule XML:/methodCall/params/param[1]/value "admin" "phase:2,id:19302,deny,log,msg:'XMLRPC - admin not allowed'"

But  I’m not having any luck using initcol…
SecAction "initcol:user=%{XML:/methodCall/params/param[1]/value},phase:2,pass,nolog,id:000001"
gives me:
Failed to resolve macro %{xml:/methodcall/params/param[1]/value}: Unknown variable: xml:/methodcall/params/param[1]/value


If I leave off the Xpath query, I don’t get an error, but the user object ends up being the whole XML document, which doesn’t help.   Any ideas?






Ian Altgilbers
Senior Systems Administrator
Educational Technology Services
Tufts Technology Services
Tufts University

Phone: 617.627.0388
http://it.tufts.edu/ests

Re: [Mod-security-developers] git checkout fails

[Robert P. <rpa...@fe...>]

... Learn how to use github?

> On Jun 25, 2016, at 14:18, Shahin Ansari <sha...@ve...> wrote:
> 
> I get the following error while trying to issue the command stated in the contribution procedures:
> $ git checkout remotes/trunk
> error: pathspec 'remotes/trunk' did not match any file(s) known to git.
> What should I do?
> ------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php