mod-security-developers — Development discussion about mod_security

[Mod-security-developers] git checkout fails

[Shahin A. <sha...@ve...>]

I get the following error while trying to issue the command stated in the
contribution procedures: 

$ git checkout remotes/trunk

error: pathspec 'remotes/trunk' did not match any file(s) known to git.

What should I do?

Re: [Mod-security-developers] [mod-security-users] Comodo reserving rule IDs 200, 000-299, 000, Oracle 100, 000-199, 000

[Christian F. <chr...@ne...>]

Hello Felipe,

Thank you for your clarification.

On Mon, Jun 20, 2016 at 12:44:27PM +0000, Felipe Costa wrote:
> I don’t see a reason why ModSecurity should enforce/limit or dictate the rule ID that a
> user should use or not. Do you think otherwise?

No, there is no point in enforcing. But I think the documentation could
be a bit clearer. And there should not be any obvious errors in the
published ranges. As the ModSecurity project is distributing
rules 200,000 - 200,005, the documentation should not assign this
range to Comodo.

Why don't we write the following:

-----------------------------------------------------------------------

The following is a list of ranges known to be used to by providers of
rules. 

1 - 99,999 ...
... used by ...
... assigned to ...

ModSecurity does not enforce these ranges and the reservation is
only informal. However, if you plan to distribute rules, it makes sense
to take assigned rule ranges into consideration or your users will
run into conflicts, if they combined multiple rulesets. 

If you would like to appear in this list with your project or your
product, then please get in touch with ...

-----------------------------------------------------------------------

And a final note: There is now a single 100K range below 1M available.
Personally, I would not add projects to this list who want such a large
range for themselves. 

Best,

Christian




> 
> Maybe the documentation needs to be clarified a little bit. The word “reservation” may
> not the best one.
> 
> Br.,
> Felipe “Zimmerle” Costa
> Security Researcher, Lead Developer ModSecurity.
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
> 
> 
> 
> 
> 
> On 6/19/16, 3:47 PM, "Christian Folini" <chr...@ne...<mailto:chr...@ne...>> wrote:
> 
> Hello Walter,
> 
> On Sun, Jun 19, 2016 at 05:41:47PM +0200, Walter Hop wrote:
> > With 200K range assigned to Comodo, the case is even weirder. The ModSec
> > project itself is definitely distributing rules in this range in:
> > http://scanmail.trustwave.com/?c=4062&d=zujm12PqzlI-rMIdy_JmyIOdtuJ8qcqIuT3qMGGPAA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2fblob%2fmaster%2fmodsecurity%2econf-recommended <http://scanmail.trustwave.com/?c=4062&d=zujm12PqzlI-rMIdy_JmyIOdtuJ8qcqIuT3qMGGPAA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2fblob%2fmaster%2fmodsecurity%2econf-recommended>
> Current version of Comodo’s rules starts at id 210000 right now.
> 
> So this would be a typo then. Would make sense. Thank you for the
> info. Have not had the Comodo rules in my hand...
> 
> (But I can confirm Atomicorp is sticking to their range with one
> exception. Sent them a message.)
> 
> Ahoj,
> 
> Christian
> 
> 
> I don’t have any contacts with their developers, but if they would agree to keep working at 210000 and higher, we could legalize the de facto use of 200xxx by modsecurity.conf (which will be widespread for lots of years anyway):
> 200000-200999: ModSecurity
> 210000-299999: Comodo
> --
> Walter Hop | PGP key: http://scanmail.trustwave.com/?c=4062&d=zujm12PqzlI-rMIdy_JmyIOdtuJ8qcqIuW_gMm7dVw&s=5&u=https%3a%2f%2flifeforms%2enl%2fpgp
> 
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity planning
> reports. http://scanmail.trustwave.com/?c=4062&d=zujm12PqzlI-rMIdy_JmyIOdtuJ8qcqIuTyxNjuNBQ&s=5&u=http%3a%2f%2fsdm%2elink%2fzohomanageengine
> 
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...<mailto:mod...@li...>
> http://scanmail.trustwave.com/?c=4062&d=zujm12PqzlI-rMIdy_JmyIOdtuJ8qcqIuWngOm3ZBA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
> 
> 
> --
> mailto:chr...@ne...
> http://scanmail.trustwave.com/?c=4062&d=zujm12PqzlI-rMIdy_JmyIOdtuJ8qcqIuWi2Z27XVQ&s=5&u=http%3a%2f%2fwww%2echristian-folini%2ech
> twitter: @ChrFolini
> 
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity planning
> reports. http://scanmail.trustwave.com/?c=4062&d=zujm12PqzlI-rMIdy_JmyIOdtuJ8qcqIuTyxNjuNBQ&s=5&u=http%3a%2f%2fsdm%2elink%2fzohomanageengine
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...<mailto:mod...@li...>
> http://scanmail.trustwave.com/?c=4062&d=zujm12PqzlI-rMIdy_JmyIOdtuJ8qcqIuWngOm3ZBA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
> 
> ________________________________
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are 
> consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
> J-Flow, sFlow and other flows. Make informed decisions using capacity planning
> reports. http://sdm.link/zohomanageengine

> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php


-- 
mailto:chr...@ne...
http://www.christian-folini.ch
twitter: @ChrFolini

Re: [Mod-security-developers] [mod-security-users] Comodo reserving rule IDs 200, 000-299, 000, Oracle 100, 000-199, 000

[Felipe C. <FC...@tr...>]

Hi,

The rules ID reservation is not something that is enforced by ModSecurity, in  this Wikipage
we keep a catalog of who is using each range, the intention is to be informative only. If you
want to create custom rules, and deploy altogether with any of the ruleset listed on the
Wikipage, it will be easy to choose a different range for the IDs, to avoid conflict.

As we don’t have any enforcement on ModSecurity, I don’t see a reason to have a process to
accept or not a this range  “reservation”. For the matter of fact, we can also have overlap in
the so called reservation.

I don’t see a reason why ModSecurity should enforce/limit or dictate the rule ID that a
user should use or not. Do you think otherwise?

Maybe the documentation needs to be clarified a little bit. The word “reservation” may
not the best one.

Br.,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.
Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>





On 6/19/16, 3:47 PM, "Christian Folini" <chr...@ne...<mailto:chr...@ne...>> wrote:

Hello Walter,

On Sun, Jun 19, 2016 at 05:41:47PM +0200, Walter Hop wrote:
> With 200K range assigned to Comodo, the case is even weirder. The ModSec
> project itself is definitely distributing rules in this range in:
> http://scanmail.trustwave.com/?c=4062&d=zujm12PqzlI-rMIdy_JmyIOdtuJ8qcqIuT3qMGGPAA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2fblob%2fmaster%2fmodsecurity%2econf-recommended <http://scanmail.trustwave.com/?c=4062&d=zujm12PqzlI-rMIdy_JmyIOdtuJ8qcqIuT3qMGGPAA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2fblob%2fmaster%2fmodsecurity%2econf-recommended>
Current version of Comodo’s rules starts at id 210000 right now.

So this would be a typo then. Would make sense. Thank you for the
info. Have not had the Comodo rules in my hand...

(But I can confirm Atomicorp is sticking to their range with one
exception. Sent them a message.)

Ahoj,

Christian


I don’t have any contacts with their developers, but if they would agree to keep working at 210000 and higher, we could legalize the de facto use of 200xxx by modsecurity.conf (which will be widespread for lots of years anyway):
200000-200999: ModSecurity
210000-299999: Comodo
--
Walter Hop | PGP key: http://scanmail.trustwave.com/?c=4062&d=zujm12PqzlI-rMIdy_JmyIOdtuJ8qcqIuW_gMm7dVw&s=5&u=https%3a%2f%2flifeforms%2enl%2fpgp

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://scanmail.trustwave.com/?c=4062&d=zujm12PqzlI-rMIdy_JmyIOdtuJ8qcqIuTyxNjuNBQ&s=5&u=http%3a%2f%2fsdm%2elink%2fzohomanageengine

_______________________________________________
mod-security-developers mailing list
mod...@li...<mailto:mod...@li...>
http://scanmail.trustwave.com/?c=4062&d=zujm12PqzlI-rMIdy_JmyIOdtuJ8qcqIuWngOm3ZBA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php


--
mailto:chr...@ne...
http://scanmail.trustwave.com/?c=4062&d=zujm12PqzlI-rMIdy_JmyIOdtuJ8qcqIuWi2Z27XVQ&s=5&u=http%3a%2f%2fwww%2echristian-folini%2ech
twitter: @ChrFolini

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://scanmail.trustwave.com/?c=4062&d=zujm12PqzlI-rMIdy_JmyIOdtuJ8qcqIuTyxNjuNBQ&s=5&u=http%3a%2f%2fsdm%2elink%2fzohomanageengine
_______________________________________________
mod-security-developers mailing list
mod...@li...<mailto:mod...@li...>
http://scanmail.trustwave.com/?c=4062&d=zujm12PqzlI-rMIdy_JmyIOdtuJ8qcqIuWngOm3ZBA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] [mod-security-users] Comodo reserving rule IDs 200, 000-299, 000, Oracle 100, 000-199, 000

[Christian F. <chr...@ne...>]

Hello Walter,

On Sun, Jun 19, 2016 at 05:41:47PM +0200, Walter Hop wrote:
> > With 200K range assigned to Comodo, the case is even weirder. The ModSec
> > project itself is definitely distributing rules in this range in:
> > https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended <https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended>
> 
> Current version of Comodo’s rules starts at id 210000 right now.

So this would be a typo then. Would make sense. Thank you for the
info. Have not had the Comodo rules in my hand...

(But I can confirm Atomicorp is sticking to their range with one
exception. Sent them a message.)

Ahoj,

Christian


> 
> I don’t have any contacts with their developers, but if they would agree to keep working at 210000 and higher, we could legalize the de facto use of 200xxx by modsecurity.conf (which will be widespread for lots of years anyway):
> 
> 200000-200999: ModSecurity
> 210000-299999: Comodo
> 
> -- 
> Walter Hop | PGP key: https://lifeforms.nl/pgp
> 

> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are 
> consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
> J-Flow, sFlow and other flows. Make informed decisions using capacity planning
> reports. http://sdm.link/zohomanageengine

> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php


-- 
mailto:chr...@ne...
http://www.christian-folini.ch
twitter: @ChrFolini

Re: [Mod-security-developers] [mod-security-users] Comodo reserving rule IDs 200, 000-299, 000, Oracle 100, 000-199, 000

[Walter H. <mo...@sp...>]

On 19 Jun 2016, at 06:43, Christian Folini <chr...@ne...> wrote:
> 
> With 200K range assigned to Comodo, the case is even weirder. The ModSec
> project itself is definitely distributing rules in this range in:
> https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended <https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended>

Current version of Comodo’s rules starts at id 210000 right now.

I don’t have any contacts with their developers, but if they would agree to keep working at 210000 and higher, we could legalize the de facto use of 200xxx by modsecurity.conf (which will be widespread for lots of years anyway):

200000-200999: ModSecurity
210000-299999: Comodo

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp

Re: [Mod-security-developers] Comodo reserving rule IDs 200, 000-299, 000, Oracle 100, 000-199, 000

[Christian F. <chr...@ne...>]

On Wed, Jun 15, 2016 at 06:48:16AM +0200, Christian Folini wrote:
> Hi there,
> 
> According to the reference manual, Comodo has reserved the rule
> ids 200,000 to 299,000, while the first ids in this range are
> part of the rules distributed together with the ModSecurity
> sourcecode.
> 
> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#id
> 
> Does anybody know more about this, or do we just remove that as
> nonsensical?
> 
> Outside of that, 100,000-199,999 used to be reserved for internal use by
> the engine, now they are claimed by Oracle. 

I checked git and the commit was done by Ryan Barnett in early 2014.

> commit 5ef12e380334fc176fee7b0444da3057befd6c1e
> Author: Ryan Barnett <rcb...@gm...>
> Date:   Wed Jan 15 05:38:14 2014 -0800
>
>    Updated Reference Manual (mediawiki)


$> git diff 855942da..5ef12e38
diff --git a/Reference-Manual.mediawiki b/Reference-Manual.mediawiki
index eed1f05..5d26bc4 100644
--- a/Reference-Manual.mediawiki
+++ b/Reference-Manual.mediawiki
@@ -2944,8 +2944,8 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" "log,id:60008,severity:2,msg:'Request Miss
 These are the reserved ranges:
 
 *1–99,999: reserved for local (internal) use. Use as you see fit, but do not use this range for rules that are distributed to others
-*100,000–199,999: reserved for internal use of the engine, to assign to rules that do not have explicit IDs
-*200,000–299,999: reserved for rules published at modsecurity.org
+*100,000–199,999: reserved for rules published by Oracle
+*200,000–299,999: reserved for rules published Comodo
 *300,000–399,999: reserved for rules published at gotroot.com
 *400,000–419,999: unused (available for reservation)
 *420,000–429,999: reserved for ScallyWhack [http://projects.otaku42.de/wiki/Scally-Whack]


With ids being mandatory, the 100K range might be no longer needed by 
the engine. Still, it's 100K in the lower rule space.

With 200K range assigned to Comodo, the case is even weirder. The ModSec
project itself is definitely distributing rules in this range in:
https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended

What do we do?

Cheers,

Christian


-- 
Besides, Emacs would be a far better OS if it shipped with a 
halfway-decent text editor - like vi for example.

Re: [Mod-security-developers] Comodo reserving rule IDs 200, 000-299, 000, Oracle 100, 000-199, 000

[Robert P. <rpa...@fe...>]

This feels like the early days of IPv4 when /8s were handed out on a whim :p

"You get a ruleset reservation! You get a ruleset reservation! EVERYONE
GETS A RULESET RESERVATION!"

On Tue, Jun 14, 2016 at 9:48 PM, Christian Folini <
chr...@ne...> wrote:

> Hi there,
>
> According to the reference manual, Comodo has reserved the rule
> ids 200,000 to 299,000, while the first ids in this range are
> part of the rules distributed together with the ModSecurity
> sourcecode.
>
> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#id
>
> Does anybody know more about this, or do we just remove that as
> nonsensical?
>
> Outside of that, 100,000-199,999 used to be reserved for internal use by
> the engine, now they are claimed by Oracle.
>
> Are people just picking their
> desired rule ranges themselves, or is there some process in place? If
> so, I suggest we describe the said process in the reference manual.
>
> Ahoj,
>
> Christian
>
>
> --
> Learn this lesson, that to be self-contented is to be vile and
> ignorant, and that to aspire is better than to be blindly and
> impotently happy.
> -- Edwin Abbott Abbott
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning
> reports.
> http://pubads.g.doubleclick.net/gampad/clk?id=1444514421&iu=/41014381
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

Re: [Mod-security-developers] RPM packages

[Athmane M. <ath...@gm...>]

Hi Giovanni,

On Wed, Jun 15, 2016 at 7:18 PM, Giovanni Tirloni <gp...@gt...> wrote:
> Hi,
>
>  I'm working on deploying libmodsecurity and modsecurity-nginx on
> Fedora/CentOS.
>
>  Has anyone already worked on creating RPM packages for them? If so,
> are the specs available somewhere? I would like to contribute if
> possible.

I started while ago the process to include libmodsecurity in Fedora
and EPEL, here's spec/srpm:

Spec URL: https://athmane.fedorapeople.org/pkgs/libmodsecurity.spec
SRPM URL: https://athmane.fedorapeople.org/pkgs/libmodsecurity-3.0-0.gitf44143.fc23.src.rpm





Best regards.

-- Athmane

[Mod-security-developers] RPM packages

[Giovanni T. <gp...@gt...>]

Hi,

 I'm working on deploying libmodsecurity and modsecurity-nginx on
Fedora/CentOS.

 Has anyone already worked on creating RPM packages for them? If so,
are the specs available somewhere? I would like to contribute if
possible.

Thanks,
Giovanni

[Mod-security-developers] SecRemoteRules very slow

[Jeremy V. <j.v...@df...>]

Hi all,

 

Since we migrated to ModSecurity 2.9 when SecRemoteRules is set, every
action on httpd are very slow : 

 

For example : 

time service httpd configtest

Syntax OK

 

real    0m17.801s

user    0m1.706s

sys     0m0.513s

 

 

Without SecRemoteRules : 

time service httpd configtest

Syntax OK

 

real    0m0.105s

user    0m0.062s

sys     0m0.029s

 

 

The number of downloaded rules is just 24 : [Tue Jun 14 03:43:24.874377
2016] [:notice] [pid 3123] ModSecurity: Loaded 24 rules from:
'https://dashboard.modsecurity.org/rules/download/plain'.

 

Is there any solution to reduce this time ? Every stop / start take awhile.

 

Thanks,

Jérémy 

 

[Mod-security-developers] Comodo reserving rule IDs 200, 000-299, 000, Oracle 100, 000-199, 000

[Christian F. <chr...@ne...>]

Hi there,

According to the reference manual, Comodo has reserved the rule
ids 200,000 to 299,000, while the first ids in this range are
part of the rules distributed together with the ModSecurity
sourcecode.

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#id

Does anybody know more about this, or do we just remove that as
nonsensical?

Outside of that, 100,000-199,999 used to be reserved for internal use by
the engine, now they are claimed by Oracle. 

Are people just picking their
desired rule ranges themselves, or is there some process in place? If
so, I suggest we describe the said process in the reference manual.

Ahoj,

Christian


-- 
Learn this lesson, that to be self-contented is to be vile and
ignorant, and that to aspire is better than to be blindly and
impotently happy. 
-- Edwin Abbott Abbott

Re: [Mod-security-developers] My App with WAF sounds faster

[Felipe C. <FC...@tr...>]

Hi,

Those “performance” related issues are always very interesting.

Talking about performance, we can consider two main things:
1 - The time that takes to load a given web site.
2 - The amount of requests per second or throughput.

Theoretically speaking, ModSecurity will add a little delay to your site, the amount of delay are
driven by the rules that you have loaded. That delay is consequence of the rules execution on top
of the requests/responses, which tends to use CPU cycles (among of other things).

Depending on your server, if there are CPU frequency scaling available [1] or sleeping cores [2],
they may wake, due to the simple fact that ModSecurity is consuming more CPU than it was used before,
forcing the Kernel to use more hardware resources, thus, returning a more quickly response.

But still not correct to say that "with ModSecurity it is performing better", as one of the big
consequences of using more hardware resources is energy consumption and consequently generating
heat. So we can’t call it a better performance, after all, the `hardwares' are somehow different :)


The point is: if you tweak the confirmation of your server, I am sure that you will be able to
achieve better "performance" without ModSecurity.

Despite all the assumptions that I did about your server, I hope I have answered your question ;)


[1] https://wiki.debian.org/HowTo/CpuFrequencyScaling
[2] http://www.ece.ubc.ca/~sasha/papers/eurosys16-final29.pdf


Br.,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>








On 6/4/16, 5:38 AM, "Christian Folini" <chr...@ne...> wrote:

>On Sat, Jun 04, 2016 at 08:12:16AM +0000, Thomas CATTY wrote:
>> Thanks Christian for your quick answer
>> That is exactly what I first answered : it must be just a feeling... But shared today by some  of colleagues and even the end customer himself ;-)
>> So I would love to find a reason... 'cause my App didn't change
>> I'll try to compile done data as you mentioned
>
>We're waiting in anticipation for any data backing up your
>impression.
>
>Ahoj,
>
>Christian
>
>>
>> Many thanks
>>
>> Thomas CATTY
>> Directeur Infrastructures IT & Support
>> 06.95.37.78.32
>> http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVElwg9j63wHg&s=5&u=http%3a%2f%2fwww%2ecacom%2efr
>>
>>
>> > On 03 Jun 2016, at 8:31 PM, Christian Folini <chr...@ne...> wrote:
>> >
>> > Thomas,
>> >
>> > That is a rare observation indeed. Is it a feeling or do you have hard
>> > data?
>> >
>> > Regs,
>> >
>> > Christian
>> >
>> >> On Fri, Jun 03, 2016 at 03:20:51PM +0000, Thomas CATTY wrote:
>> >> Hi guys,
>> >> Hope you’re fine and thanks for your work
>> >> Could one of you explain to me how is it possible that my LAMP App sounds faster since it’s behind the mod_security WAF ;-)
>> >> I can’t explain but this is the case …
>> >> Any compression ? …
>> >>
>> >> Thanks a lot
>> >> Cheers,
>> >>
>> >>
>> >>
>> >>
>> >> Thomas CATTY
>> >> Directeur Infrastructures SI & Support
>> >>
>> >> Ligne directe : +33 1 40 89 19 02
>> >> Ligne mobile : +33 6 95 37 78 32
>> >>
>> >> t....@ca...<mailto:t....@ca...>
>> >>
>> >>
>> >> [logo-cacom-groupe]<http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVEl10y36KiTQ&s=5&u=http%3a%2f%2fcorporate%2ecacom%2efr%2fsignatures%2fgroupe%2ehtml>   [CA Com] <http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVEl1w-3f-iTA&s=5&u=http%3a%2f%2fcorporate%2ecacom%2efr%2fsignatures%2fcacom%5fclichy%2ehtml>
>> >> [url CACOM]<http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVElw08ifv1TQ&s=5&u=http%3a%2f%2fwww%2ecacom%2efr%2f>
>> >> [Logo Linkedin]<http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVEl1U42qugSQ&s=5&u=https%3a%2f%2fwww%2elinkedin%2ecom%2fcompany%2fca-com%3ftrk%3dtop%5fnav%5fhome>[Logo Tweeter]<http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVEl11qiK2iSA&s=5&u=https%3a%2f%2ftwitter%2ecom%2fCA%5fCom%5fRetail>[Logo Facebook]<http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVEl1s-i6_yGw&s=5&u=https%3a%2f%2fwww%2efacebook%2ecom%2fcacomretail>
>> >>
>> >>
>> >>
>> >> [header]
>> >>        [News 1] <http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVEl1g72K3wGQ&s=5&u=http%3a%2f%2fcorporate%2ecacom%2efr%2fsignatures%2fnews2%2ehtml>      [News 2] <http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVEl1g72K3wGQ&s=5&u=http%3a%2f%2fcorporate%2ecacom%2efr%2fsignatures%2fnews2%2ehtml>
>> >
>> >> ------------------------------------------------------------------------------
>> >> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
>> >> patterns at an interface-level. Reveals which users, apps, and protocols are
>> >> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>> >> J-Flow, sFlow and other flows. Make informed decisions using capacity
>> >> planning reports. http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVEl18736PyRw&s=5&u=https%3a%2f%2fad%2edoubleclick%2enet%2fddm%2fclk%2f305295220%3b132659582%3be
>> >
>> >> _______________________________________________
>> >> mod-security-developers mailing list
>> >> mod...@li...
>> >> http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVEl1040q6kGg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers
>> >> ModSecurity Services from Trustwave's SpiderLabs:
>> >> https://www.trustwave.com/spiderLabs.php
>> >
>> >
>> > --
>> > mailto:chr...@ne...
>> > http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVEl1xuj62qSw&s=5&u=http%3a%2f%2fwww%2echristian-folini%2ech
>> > twitter: @ChrFolini
>> >
>> > ------------------------------------------------------------------------------
>> > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
>> > patterns at an interface-level. Reveals which users, apps, and protocols are
>> > consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>> > J-Flow, sFlow and other flows. Make informed decisions using capacity
>> > planning reports. http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVEl18736PyRw&s=5&u=https%3a%2f%2fad%2edoubleclick%2enet%2fddm%2fclk%2f305295220%3b132659582%3be
>> > _______________________________________________
>> > mod-security-developers mailing list
>> > mod...@li...
>> > http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVEl1040q6kGg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers
>> > ModSecurity Services from Trustwave's SpiderLabs:
>> > https://www.trustwave.com/spiderLabs.php
>>
>> ------------------------------------------------------------------------------
>> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
>> patterns at an interface-level. Reveals which users, apps, and protocols are
>> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>> J-Flow, sFlow and other flows. Make informed decisions using capacity
>> planning reports. http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVEl18736PyRw&s=5&u=https%3a%2f%2fad%2edoubleclick%2enet%2fddm%2fclk%2f305295220%3b132659582%3be
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVEl1040q6kGg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>
>--
>mailto:chr...@ne...
>http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVEl1xuj62qSw&s=5&u=http%3a%2f%2fwww%2echristian-folini%2ech
>twitter: @ChrFolini
>
>------------------------------------------------------------------------------
>What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
>patterns at an interface-level. Reveals which users, apps, and protocols are
>consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>J-Flow, sFlow and other flows. Make informed decisions using capacity
>planning reports. http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVEl18736PyRw&s=5&u=https%3a%2f%2fad%2edoubleclick%2enet%2fddm%2fclk%2f305295220%3b132659582%3be
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>http://scanmail.trustwave.com/?c=4062&d=r5PS18eHhVwIYSpXEd6e1MDy-mTJoaVEl1040q6kGg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] My App with WAF sounds faster

[Christian F. <chr...@ne...>]

On Sat, Jun 04, 2016 at 08:12:16AM +0000, Thomas CATTY wrote:
> Thanks Christian for your quick answer
> That is exactly what I first answered : it must be just a feeling... But shared today by some  of colleagues and even the end customer himself ;-)
> So I would love to find a reason... 'cause my App didn't change
> I'll try to compile done data as you mentioned 

We're waiting in anticipation for any data backing up your
impression.

Ahoj,

Christian

> 
> Many thanks 
> 
> Thomas CATTY
> Directeur Infrastructures IT & Support
> 06.95.37.78.32
> www.cacom.fr
> 
> 
> > On 03 Jun 2016, at 8:31 PM, Christian Folini <chr...@ne...> wrote:
> > 
> > Thomas,
> > 
> > That is a rare observation indeed. Is it a feeling or do you have hard
> > data?
> > 
> > Regs,
> > 
> > Christian
> > 
> >> On Fri, Jun 03, 2016 at 03:20:51PM +0000, Thomas CATTY wrote:
> >> Hi guys,
> >> Hope you’re fine and thanks for your work
> >> Could one of you explain to me how is it possible that my LAMP App sounds faster since it’s behind the mod_security WAF ;-)
> >> I can’t explain but this is the case …
> >> Any compression ? …
> >> 
> >> Thanks a lot
> >> Cheers,
> >> 
> >> 
> >> 
> >> 
> >> Thomas CATTY
> >> Directeur Infrastructures SI & Support
> >> 
> >> Ligne directe : +33 1 40 89 19 02
> >> Ligne mobile : +33 6 95 37 78 32
> >> 
> >> t....@ca...<mailto:t....@ca...>
> >> 
> >> 
> >> [logo-cacom-groupe]<http://corporate.cacom.fr/signatures/groupe.html>   [CA Com] <http://corporate.cacom.fr/signatures/cacom_clichy.html>
> >> [url CACOM]<http://www.cacom.fr/>
> >> [Logo Linkedin]<https://www.linkedin.com/company/ca-com?trk=top_nav_home>[Logo Tweeter]<https://twitter.com/CA_Com_Retail>[Logo Facebook]<https://www.facebook.com/cacomretail>
> >> 
> >> 
> >> 
> >> [header]
> >>        [News 1] <http://corporate.cacom.fr/signatures/news2.html>      [News 2] <http://corporate.cacom.fr/signatures/news2.html>
> > 
> >> ------------------------------------------------------------------------------
> >> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> >> patterns at an interface-level. Reveals which users, apps, and protocols are 
> >> consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
> >> J-Flow, sFlow and other flows. Make informed decisions using capacity 
> >> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> > 
> >> _______________________________________________
> >> mod-security-developers mailing list
> >> mod...@li...
> >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> >> ModSecurity Services from Trustwave's SpiderLabs:
> >> https://www.trustwave.com/spiderLabs.php
> > 
> > 
> > -- 
> > mailto:chr...@ne...
> > http://www.christian-folini.ch
> > twitter: @ChrFolini
> > 
> > ------------------------------------------------------------------------------
> > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> > patterns at an interface-level. Reveals which users, apps, and protocols are 
> > consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
> > J-Flow, sFlow and other flows. Make informed decisions using capacity 
> > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> > _______________________________________________
> > mod-security-developers mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> > ModSecurity Services from Trustwave's SpiderLabs:
> > https://www.trustwave.com/spiderLabs.php
> 
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are 
> consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
> J-Flow, sFlow and other flows. Make informed decisions using capacity 
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

-- 
mailto:chr...@ne...
http://www.christian-folini.ch
twitter: @ChrFolini

Re: [Mod-security-developers] My App with WAF sounds faster

[Thomas C. <t....@ca...>]

Thanks Christian for your quick answer
That is exactly what I first answered : it must be just a feeling... But shared today by some  of colleagues and even the end customer himself ;-)
So I would love to find a reason... 'cause my App didn't change
I'll try to compile done data as you mentioned 

Many thanks 

Thomas CATTY
Directeur Infrastructures IT & Support
06.95.37.78.32
www.cacom.fr


> On 03 Jun 2016, at 8:31 PM, Christian Folini <chr...@ne...> wrote:
> 
> Thomas,
> 
> That is a rare observation indeed. Is it a feeling or do you have hard
> data?
> 
> Regs,
> 
> Christian
> 
>> On Fri, Jun 03, 2016 at 03:20:51PM +0000, Thomas CATTY wrote:
>> Hi guys,
>> Hope you’re fine and thanks for your work
>> Could one of you explain to me how is it possible that my LAMP App sounds faster since it’s behind the mod_security WAF ;-)
>> I can’t explain but this is the case …
>> Any compression ? …
>> 
>> Thanks a lot
>> Cheers,
>> 
>> 
>> 
>> 
>> Thomas CATTY
>> Directeur Infrastructures SI & Support
>> 
>> Ligne directe : +33 1 40 89 19 02
>> Ligne mobile : +33 6 95 37 78 32
>> 
>> t....@ca...<mailto:t....@ca...>
>> 
>> 
>> [logo-cacom-groupe]<http://corporate.cacom.fr/signatures/groupe.html>   [CA Com] <http://corporate.cacom.fr/signatures/cacom_clichy.html>
>> [url CACOM]<http://www.cacom.fr/>
>> [Logo Linkedin]<https://www.linkedin.com/company/ca-com?trk=top_nav_home>[Logo Tweeter]<https://twitter.com/CA_Com_Retail>[Logo Facebook]<https://www.facebook.com/cacomretail>
>> 
>> 
>> 
>> [header]
>>        [News 1] <http://corporate.cacom.fr/signatures/news2.html>      [News 2] <http://corporate.cacom.fr/signatures/news2.html>
> 
>> ------------------------------------------------------------------------------
>> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
>> patterns at an interface-level. Reveals which users, apps, and protocols are 
>> consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
>> J-Flow, sFlow and other flows. Make informed decisions using capacity 
>> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> 
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
> 
> 
> -- 
> mailto:chr...@ne...
> http://www.christian-folini.ch
> twitter: @ChrFolini
> 
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are 
> consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
> J-Flow, sFlow and other flows. Make informed decisions using capacity 
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

Re: [Mod-security-developers] My App with WAF sounds faster

[Christian F. <chr...@ne...>]

Thomas,

That is a rare observation indeed. Is it a feeling or do you have hard
data?

Regs,

Christian

On Fri, Jun 03, 2016 at 03:20:51PM +0000, Thomas CATTY wrote:
> Hi guys,
> Hope you’re fine and thanks for your work
> Could one of you explain to me how is it possible that my LAMP App sounds faster since it’s behind the mod_security WAF ;-)
> I can’t explain but this is the case …
> Any compression ? …
> 
> Thanks a lot
> Cheers,
> 
> 
> 
> 
> Thomas CATTY
> Directeur Infrastructures SI & Support
> 
> Ligne directe : +33 1 40 89 19 02
> Ligne mobile : +33 6 95 37 78 32
> 
> t....@ca...<mailto:t....@ca...>
> 
> 
> [logo-cacom-groupe]<http://corporate.cacom.fr/signatures/groupe.html>   [CA Com] <http://corporate.cacom.fr/signatures/cacom_clichy.html>
> [url CACOM]<http://www.cacom.fr/>
> [Logo Linkedin]<https://www.linkedin.com/company/ca-com?trk=top_nav_home>[Logo Tweeter]<https://twitter.com/CA_Com_Retail>[Logo Facebook]<https://www.facebook.com/cacomretail>
> 
> 
> 
> [header]
>         [News 1] <http://corporate.cacom.fr/signatures/news2.html>      [News 2] <http://corporate.cacom.fr/signatures/news2.html>
> 
> 
> 
> 
> 
> 
> 
> 

> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are 
> consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
> J-Flow, sFlow and other flows. Make informed decisions using capacity 
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e

> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php


-- 
mailto:chr...@ne...
http://www.christian-folini.ch
twitter: @ChrFolini

[Mod-security-developers] My App with WAF sounds faster

[Thomas C. <t....@ca...>]

Hi guys,
Hope you’re fine and thanks for your work
Could one of you explain to me how is it possible that my LAMP App sounds faster since it’s behind the mod_security WAF ;-)
I can’t explain but this is the case …
Any compression ? …

Thanks a lot
Cheers,




Thomas CATTY
Directeur Infrastructures SI & Support

Ligne directe : +33 1 40 89 19 02
Ligne mobile : +33 6 95 37 78 32

t....@ca...<mailto:t....@ca...>


[logo-cacom-groupe]<http://corporate.cacom.fr/signatures/groupe.html>   [CA Com] <http://corporate.cacom.fr/signatures/cacom_clichy.html>
[url CACOM]<http://www.cacom.fr/>
[Logo Linkedin]<https://www.linkedin.com/company/ca-com?trk=top_nav_home>[Logo Tweeter]<https://twitter.com/CA_Com_Retail>[Logo Facebook]<https://www.facebook.com/cacomretail>



[header]
        [News 1] <http://corporate.cacom.fr/signatures/news2.html>      [News 2] <http://corporate.cacom.fr/signatures/news2.html>

Re: [Mod-security-developers] Possible bug in ModSec (was: Re: [Owasp-modsecurity-core-rule-set] Error with CRS 3.0.0-rc1 "error parsing actions unknown action \\")

[Christian F. <chr...@ne...>]

Felipe,

Thank you for the quick response. Glad this is fixed.

A glitch in my lab setup made me believe a new apache showed the
same behaviour. But that was a false alarm. Thank you for pointing this
out.

Cheers,

Christian




On Tue, May 31, 2016 at 12:34:32AM +0000, Felipe Costa wrote:
> Hi Christian,
> 
> It seems to me that this problem is associated with an known Apache issue.
> It is related to the utilization of the continuation lines “\\” .
> 
> For further details: https://bz.apache.org/bugzilla/show_bug.cgi?id=55910
> 
> I made the comment #4 back on 2014: https://bz.apache.org/bugzilla/show_bug.cgi?id=55910#c4
> 
> I think it is fixed on Apache 2.4.11+.
> 
> Br.,
> Felipe “Zimmerle” Costa
> Security Researcher, Lead Developer ModSecurity.
> 
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
> 
> 
> 
> 
> 
> 
> 
> 
> On 5/30/16, 5:34 PM, "Christian Folini" <chr...@ne...> wrote:
> 
> >David,
> >
> >Thanks for writing in. I am X-posting this to modsec-dev as well.
> >
> >Yours is a very strange problem indeed. I am running the 3.0rc1
> >ruleset in production and have been running dozens of tests without
> >any issue.
> >
> >Here is the minimal configuration, which triggered the bug in my
> >environment (Ubunt 14.04, apache 2.4.7, modsec 2.9.1)
> >
> >ServerName              localhost
> >ServerAdmin             root@localhost
> >ServerRoot              /opt/apache-2.4.18
> >User                    www-data
> >Group                   www-data
> >PidFile                        logs/httpd.pid
> >
> >ServerTokens            Prod
> >UseCanonicalName        On
> >TraceEnable             Off
> >
> >Timeout                 300
> >MaxClients              100
> >
> >KeepAlive               On
> >KeepAliveTimeout        100ms
> >
> >Listen                  127.0.0.1:80
> >
> >LoadModule              mpm_prefork_module      modules/mod_mpm_prefork.so
> >LoadModule              unixd_module            modules/mod_unixd.so
> >LoadModule              authz_host_module       modules/mod_authz_host.so
> >LoadModule              log_config_module       modules/mod_log_config.so
> >LoadModule              logio_module            modules/mod_logio.so
> >
> >LoadModule              headers_module          modules/mod_headers.so
> >LoadModule              unique_id_module        modules/mod_unique_id.so
> >LoadModule              security2_module        modules/mod_security2.so
> >
> >LoadModule              mime_module             modules/mod_mime.so
> >LoadModule              status_module           modules/mod_status.so
> >
> >LoadModule              lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
> >
> >LogLevel                        debug core:notice
> >
> >ErrorLogFormat "[%{cu}t] [%-m:%-l] %-a %-L %M"
> >
> >
> >ErrorLog                logs/error.log
> >
> >DocumentRoot            /apache/htdocs
> >
> ># === Start ModSec Configuration
> >
> >SecRuleEngine                 On
> >
> >SecRequestBodyAccess          On
> >SecRequestBodyLimit           10000000
> >SecRequestBodyNoFilesLimit    64000
> >
> >SecResponseBodyAccess         On
> >SecResponseBodyLimit          10000000
> >
> >SecTmpDir                     /tmp/
> >SecDataDir                    /tmp/
> >SecUploadDir                  /tmp/
> >
> >SecDebugLog                   /apache/logs/modsec_debug.log
> >SecDebugLogLevel              9
> >
> >SecAuditEngine                RelevantOnly
> >SecAuditLogRelevantStatus     "^(?:5|4(?!04))"
> >SecAuditLogParts              ABEFHIJZ
> >
> >SecAuditLogType               Concurrent
> >SecAuditLog                   /apache/logs/modsec_audit.log
> >SecAuditLogStorageDir         /apache/logs/audit/
> >
> >SecPcreMatchLimit             500000
> >SecPcreMatchLimitRecursion    500000
> >
> >SecDefaultAction              "phase:2,pass,log"
> >
> >
> >SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \
> >       "phase:response,\
> >       rev:'2',\
> >       ver:'OWASP_CRS/3.0.0',\
> >       maturity:'9',\
> >       accuracy:'9',\
> >       t:none,\
> >       block,\
> >       id:'950110'"
> >
> >
> ><Directory />
> >        Options SymLinksIfOwnerMatch
> >        AllowOverride None
> ></Directory>
> >
> ><VirtualHost *:80>
> >        ServerName localhost
> >
> >        <Directory /apache/htdocs>
> >
> >        </Directory>
> >
> ></VirtualHost>
> >
> >
> >$> ./bin/httpd -X -f conf/httpd.conf_problem_of_the_day
> >AH00526: Syntax error on line 82 of /opt/apache-2.4.18/conf/httpd.conf_problem_of_the_day
> >Error parsing actions: Unknown action: \\
> >
> >I tried this with 2.4.7 as well.
> >
> >If I take a single character out of the regex or out of the version
> >string (OWASP_CRS...), then the bug disappears.
> >
> >If I add a space in front of the backslash: bug disappears.
> >
> >Given the config above, I am quite sure there is a bug hidden somewhere.
> >Maybe I am overlooking something and somebody can point me to an
> >error. If that is not the case, then I think it is a bug.
> >
> >David: I suggest you open a bug report. Please open it against
> >ModSecurity and not against the Core Rules.
> >
> >Ahoj,
> >
> >Christian
> >
> >
> >
> >
> >
> >On Fri, May 27, 2016 at 08:48:31PM -0500, David Angel wrote:
> >> Good evening,
> >>
> >> I originally posted this at
> >> http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS5l7QuIfKA&s=5&u=http%3a%2f%2fstackoverflow%2ecom%2fquestions%2f37369990%2fmodsecurity-error-parsing-actions-unknown-action
> >> and it was suggested to send to this listserv as well.
> >>
> >> I'm trying to get CRS 3.0.0.-rc1 working with ModSecurity 2.9.1 and Apache
> >> 2.4.7 on an Ubuntu 14.04 machine.
> >>
> >> I'm using all the rules in the /rules directory, and when trying to start
> >> Apache I receive the following error. (Note: There is no entry in the
> >> Apache error.log file for this.)
> >>
> >> AH00526: Syntax error on line 35 of
> >> /etc/apache2/conf/crs/rules/RESPONSE-50-DATA-LEAKAGES-PHP.conf:
> >> Error parsing actions: Unknown action: \\
> >> Action 'configtest' failed.
> >>
> >> In my troubleshooting of the *RESPONSE-50-DATA-LEAKAGES-PHP.conf
> >> *file, I combined line 35 with 34
> >>
> >> capture,ctl:auditLogParts=+E,\
> >>
> >> just to see if the line error would change (and make sure I was indeed
> >> troubleshooting the correct file) and suddenly this error is gone, and
> >> is replaced with another.
> >>
> >> AH00526: Syntax error on line 31 of
> >> /etc/apache2/conf/crs/rules/RESPONSE-50-DATA-LEAKAGES.conf:
> >> Error parsing actions: Unknown action: \\
> >>
> >> which again is solved by combining with the line above it.
> >>
> >> accuracy:'9',t:none,\
> >>
> >>
> >> Now it starts correctly with no error.  Needless to say I'm pretty
> >> confused about this error, and more confused about the "fix" since I
> >> don't understand why removing a single line continuation would matter.
> >>
> >> Any thoughts on this?  Or any suggestions to increase debug\troubleshooting?
> >>
> >> Thanks,
> >> David Angel
> >
> >> _______________________________________________
> >> Owasp-modsecurity-core-rule-set mailing list
> >> Owa...@li...
> >> http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS50vHuBKKQ&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set
> >
> >
> >--
> >mailto:chr...@ne...
> >http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS5h6QuYRJA&s=5&u=http%3a%2f%2fwww%2echristian-folini%2ech
> >twitter: @ChrFolini
> >
> >------------------------------------------------------------------------------
> >What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> >patterns at an interface-level. Reveals which users, apps, and protocols are
> >consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> >J-Flow, sFlow and other flows. Make informed decisions using capacity
> >planning reports. http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS5svEuhJKA&s=5&u=https%3a%2f%2fad%2edoubleclick%2enet%2fddm%2fclk%2f305295220%3b132659582%3be
> >_______________________________________________
> >mod-security-developers mailing list
> >mod...@li...
> >http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS5ksH-UfdQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers
> >ModSecurity Services from Trustwave's SpiderLabs:
> >https://www.trustwave.com/spiderLabs.php
> 
> ________________________________
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are 
> consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
> J-Flow, sFlow and other flows. Make informed decisions using capacity 
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

-- 
mailto:chr...@ne...
http://www.christian-folini.ch
twitter: @ChrFolini

Re: [Mod-security-developers] Possible bug in ModSec (was: Re: [Owasp-modsecurity-core-rule-set] Error with CRS 3.0.0-rc1 "error parsing actions unknown action \\")

[Felipe C. <FC...@tr...>]

Hi Christian,

It seems to me that this problem is associated with an known Apache issue.
It is related to the utilization of the continuation lines “\\” .

For further details: https://bz.apache.org/bugzilla/show_bug.cgi?id=55910

I made the comment #4 back on 2014: https://bz.apache.org/bugzilla/show_bug.cgi?id=55910#c4

I think it is fixed on Apache 2.4.11+.

Br.,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>








On 5/30/16, 5:34 PM, "Christian Folini" <chr...@ne...> wrote:

>David,
>
>Thanks for writing in. I am X-posting this to modsec-dev as well.
>
>Yours is a very strange problem indeed. I am running the 3.0rc1
>ruleset in production and have been running dozens of tests without
>any issue.
>
>Here is the minimal configuration, which triggered the bug in my
>environment (Ubunt 14.04, apache 2.4.7, modsec 2.9.1)
>
>ServerName              localhost
>ServerAdmin             root@localhost
>ServerRoot              /opt/apache-2.4.18
>User                    www-data
>Group                   www-data
>PidFile                        logs/httpd.pid
>
>ServerTokens            Prod
>UseCanonicalName        On
>TraceEnable             Off
>
>Timeout                 300
>MaxClients              100
>
>KeepAlive               On
>KeepAliveTimeout        100ms
>
>Listen                  127.0.0.1:80
>
>LoadModule              mpm_prefork_module      modules/mod_mpm_prefork.so
>LoadModule              unixd_module            modules/mod_unixd.so
>LoadModule              authz_host_module       modules/mod_authz_host.so
>LoadModule              log_config_module       modules/mod_log_config.so
>LoadModule              logio_module            modules/mod_logio.so
>
>LoadModule              headers_module          modules/mod_headers.so
>LoadModule              unique_id_module        modules/mod_unique_id.so
>LoadModule              security2_module        modules/mod_security2.so
>
>LoadModule              mime_module             modules/mod_mime.so
>LoadModule              status_module           modules/mod_status.so
>
>LoadModule              lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
>
>LogLevel                        debug core:notice
>
>ErrorLogFormat "[%{cu}t] [%-m:%-l] %-a %-L %M"
>
>
>ErrorLog                logs/error.log
>
>DocumentRoot            /apache/htdocs
>
># === Start ModSec Configuration
>
>SecRuleEngine                 On
>
>SecRequestBodyAccess          On
>SecRequestBodyLimit           10000000
>SecRequestBodyNoFilesLimit    64000
>
>SecResponseBodyAccess         On
>SecResponseBodyLimit          10000000
>
>SecTmpDir                     /tmp/
>SecDataDir                    /tmp/
>SecUploadDir                  /tmp/
>
>SecDebugLog                   /apache/logs/modsec_debug.log
>SecDebugLogLevel              9
>
>SecAuditEngine                RelevantOnly
>SecAuditLogRelevantStatus     "^(?:5|4(?!04))"
>SecAuditLogParts              ABEFHIJZ
>
>SecAuditLogType               Concurrent
>SecAuditLog                   /apache/logs/modsec_audit.log
>SecAuditLogStorageDir         /apache/logs/audit/
>
>SecPcreMatchLimit             500000
>SecPcreMatchLimitRecursion    500000
>
>SecDefaultAction              "phase:2,pass,log"
>
>
>SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \
>       "phase:response,\
>       rev:'2',\
>       ver:'OWASP_CRS/3.0.0',\
>       maturity:'9',\
>       accuracy:'9',\
>       t:none,\
>       block,\
>       id:'950110'"
>
>
><Directory />
>        Options SymLinksIfOwnerMatch
>        AllowOverride None
></Directory>
>
><VirtualHost *:80>
>        ServerName localhost
>
>        <Directory /apache/htdocs>
>
>        </Directory>
>
></VirtualHost>
>
>
>$> ./bin/httpd -X -f conf/httpd.conf_problem_of_the_day
>AH00526: Syntax error on line 82 of /opt/apache-2.4.18/conf/httpd.conf_problem_of_the_day
>Error parsing actions: Unknown action: \\
>
>I tried this with 2.4.7 as well.
>
>If I take a single character out of the regex or out of the version
>string (OWASP_CRS...), then the bug disappears.
>
>If I add a space in front of the backslash: bug disappears.
>
>Given the config above, I am quite sure there is a bug hidden somewhere.
>Maybe I am overlooking something and somebody can point me to an
>error. If that is not the case, then I think it is a bug.
>
>David: I suggest you open a bug report. Please open it against
>ModSecurity and not against the Core Rules.
>
>Ahoj,
>
>Christian
>
>
>
>
>
>On Fri, May 27, 2016 at 08:48:31PM -0500, David Angel wrote:
>> Good evening,
>>
>> I originally posted this at
>> http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS5l7QuIfKA&s=5&u=http%3a%2f%2fstackoverflow%2ecom%2fquestions%2f37369990%2fmodsecurity-error-parsing-actions-unknown-action
>> and it was suggested to send to this listserv as well.
>>
>> I'm trying to get CRS 3.0.0.-rc1 working with ModSecurity 2.9.1 and Apache
>> 2.4.7 on an Ubuntu 14.04 machine.
>>
>> I'm using all the rules in the /rules directory, and when trying to start
>> Apache I receive the following error. (Note: There is no entry in the
>> Apache error.log file for this.)
>>
>> AH00526: Syntax error on line 35 of
>> /etc/apache2/conf/crs/rules/RESPONSE-50-DATA-LEAKAGES-PHP.conf:
>> Error parsing actions: Unknown action: \\
>> Action 'configtest' failed.
>>
>> In my troubleshooting of the *RESPONSE-50-DATA-LEAKAGES-PHP.conf
>> *file, I combined line 35 with 34
>>
>> capture,ctl:auditLogParts=+E,\
>>
>> just to see if the line error would change (and make sure I was indeed
>> troubleshooting the correct file) and suddenly this error is gone, and
>> is replaced with another.
>>
>> AH00526: Syntax error on line 31 of
>> /etc/apache2/conf/crs/rules/RESPONSE-50-DATA-LEAKAGES.conf:
>> Error parsing actions: Unknown action: \\
>>
>> which again is solved by combining with the line above it.
>>
>> accuracy:'9',t:none,\
>>
>>
>> Now it starts correctly with no error.  Needless to say I'm pretty
>> confused about this error, and more confused about the "fix" since I
>> don't understand why removing a single line continuation would matter.
>>
>> Any thoughts on this?  Or any suggestions to increase debug\troubleshooting?
>>
>> Thanks,
>> David Angel
>
>> _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owa...@li...
>> http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS50vHuBKKQ&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set
>
>
>--
>mailto:chr...@ne...
>http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS5h6QuYRJA&s=5&u=http%3a%2f%2fwww%2echristian-folini%2ech
>twitter: @ChrFolini
>
>------------------------------------------------------------------------------
>What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
>patterns at an interface-level. Reveals which users, apps, and protocols are
>consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>J-Flow, sFlow and other flows. Make informed decisions using capacity
>planning reports. http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS5svEuhJKA&s=5&u=https%3a%2f%2fad%2edoubleclick%2enet%2fddm%2fclk%2f305295220%3b132659582%3be
>_______________________________________________
>mod-security-developers mailing list
>mod...@li...
>http://scanmail.trustwave.com/?c=4062&d=9qPM115iL1ynPbZVTXRAV5XeKfPloSkwS5ksH-UfdQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[Mod-security-developers] Possible bug in ModSec (was: Re: [Owasp-modsecurity-core-rule-set] Error with CRS 3.0.0-rc1 "error parsing actions unknown action \\")

[Christian F. <chr...@ne...>]

David,

Thanks for writing in. I am X-posting this to modsec-dev as well.

Yours is a very strange problem indeed. I am running the 3.0rc1
ruleset in production and have been running dozens of tests without
any issue.

Here is the minimal configuration, which triggered the bug in my
environment (Ubunt 14.04, apache 2.4.7, modsec 2.9.1)

ServerName              localhost
ServerAdmin             root@localhost
ServerRoot              /opt/apache-2.4.18
User                    www-data
Group                   www-data
PidFile			logs/httpd.pid

ServerTokens            Prod
UseCanonicalName        On
TraceEnable             Off

Timeout                 300
MaxClients              100

KeepAlive               On
KeepAliveTimeout        100ms

Listen                  127.0.0.1:80

LoadModule              mpm_prefork_module      modules/mod_mpm_prefork.so
LoadModule              unixd_module            modules/mod_unixd.so
LoadModule              authz_host_module       modules/mod_authz_host.so
LoadModule              log_config_module       modules/mod_log_config.so
LoadModule              logio_module            modules/mod_logio.so

LoadModule              headers_module          modules/mod_headers.so
LoadModule              unique_id_module        modules/mod_unique_id.so
LoadModule              security2_module        modules/mod_security2.so

LoadModule              mime_module             modules/mod_mime.so
LoadModule              status_module           modules/mod_status.so

LoadModule              lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so

LogLevel                        debug core:notice

ErrorLogFormat "[%{cu}t] [%-m:%-l] %-a %-L %M"


ErrorLog                logs/error.log

DocumentRoot            /apache/htdocs

# === Start ModSec Configuration

SecRuleEngine                 On

SecRequestBodyAccess          On
SecRequestBodyLimit           10000000
SecRequestBodyNoFilesLimit    64000

SecResponseBodyAccess         On
SecResponseBodyLimit          10000000

SecTmpDir                     /tmp/
SecDataDir                    /tmp/
SecUploadDir                  /tmp/

SecDebugLog                   /apache/logs/modsec_debug.log
SecDebugLogLevel              9

SecAuditEngine                RelevantOnly
SecAuditLogRelevantStatus     "^(?:5|4(?!04))"
SecAuditLogParts              ABEFHIJZ

SecAuditLogType               Concurrent
SecAuditLog                   /apache/logs/modsec_audit.log
SecAuditLogStorageDir         /apache/logs/audit/

SecPcreMatchLimit             500000
SecPcreMatchLimitRecursion    500000

SecDefaultAction              "phase:2,pass,log"


SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \
	"phase:response,\
	rev:'2',\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'9',\
	accuracy:'9',\
	t:none,\
	block,\
	id:'950110'"


<Directory />
        Options SymLinksIfOwnerMatch
        AllowOverride None
</Directory>

<VirtualHost *:80>
        ServerName localhost

        <Directory /apache/htdocs>

        </Directory>

</VirtualHost>


$> ./bin/httpd -X -f conf/httpd.conf_problem_of_the_day
AH00526: Syntax error on line 82 of /opt/apache-2.4.18/conf/httpd.conf_problem_of_the_day
Error parsing actions: Unknown action: \\

I tried this with 2.4.7 as well.

If I take a single character out of the regex or out of the version
string (OWASP_CRS...), then the bug disappears.

If I add a space in front of the backslash: bug disappears.

Given the config above, I am quite sure there is a bug hidden somewhere.
Maybe I am overlooking something and somebody can point me to an
error. If that is not the case, then I think it is a bug.

David: I suggest you open a bug report. Please open it against
ModSecurity and not against the Core Rules.

Ahoj,

Christian





On Fri, May 27, 2016 at 08:48:31PM -0500, David Angel wrote:
> Good evening,
> 
> I originally posted this at
> http://stackoverflow.com/questions/37369990/modsecurity-error-parsing-actions-unknown-action
> and it was suggested to send to this listserv as well.
> 
> I'm trying to get CRS 3.0.0.-rc1 working with ModSecurity 2.9.1 and Apache
> 2.4.7 on an Ubuntu 14.04 machine.
> 
> I'm using all the rules in the /rules directory, and when trying to start
> Apache I receive the following error. (Note: There is no entry in the
> Apache error.log file for this.)
> 
> AH00526: Syntax error on line 35 of
> /etc/apache2/conf/crs/rules/RESPONSE-50-DATA-LEAKAGES-PHP.conf:
> Error parsing actions: Unknown action: \\
> Action 'configtest' failed.
> 
> In my troubleshooting of the *RESPONSE-50-DATA-LEAKAGES-PHP.conf
> *file, I combined line 35 with 34
> 
> capture,ctl:auditLogParts=+E,\
> 
> just to see if the line error would change (and make sure I was indeed
> troubleshooting the correct file) and suddenly this error is gone, and
> is replaced with another.
> 
> AH00526: Syntax error on line 31 of
> /etc/apache2/conf/crs/rules/RESPONSE-50-DATA-LEAKAGES.conf:
> Error parsing actions: Unknown action: \\
> 
> which again is solved by combining with the line above it.
> 
> accuracy:'9',t:none,\
> 
> 
> Now it starts correctly with no error.  Needless to say I'm pretty
> confused about this error, and more confused about the "fix" since I
> don't understand why removing a single line continuation would matter.
> 
> Any thoughts on this?  Or any suggestions to increase debug\troubleshooting?
> 
> Thanks,
> David Angel

> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owa...@li...
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set


-- 
mailto:chr...@ne...
http://www.christian-folini.ch
twitter: @ChrFolini

Re: [Mod-security-developers] Hyperscan

[Marc S. <mar...@ap...>]

For me it's definitely a blocker and I guess it would be the same for 
some users.
But, if you can choose your RE engine that would be a perfect solution 
(as far as you compile it yourself).
Furtermore, if the UTF-8 support is better in another library, we could 
try it also.

Marc

On 4/5/16, 1:53 AM, "Christian Folini" <chr...@ne...> wrote:

> If you need features (e.g. sub-expression capture) or pattern
> constructs
> (e.g. back-references or arbitrary look around asserts) you may not be
> able to use Hyperscan (although we do have a pre-filter mode that can
> optimize some cases).
> ->http://scanmail.trustwave.com/?c=4062&d=_8SD17SSFxcGTyITZx90bheVWxEf38or3BaqDWrOIQ&s=5&u=https%3a%2f%2f01%2eorg%2fhyperscan%2fblogs%2fgeofflangdale%2f2015%2fwelcome-hyperscan
>
> Is not that a blocker?

It is not clear to me if this is a blocker. I don't think so. Are you concerned
about the sub-expression capture?

It is also not clear if it will really improve the performance, as our content
is usually very small. I guess it is not so hard to test.

Re: [Mod-security-developers] Hyperscan

[Christian F. <chr...@ne...>]

Hello,

On Tue, Apr 05, 2016 at 04:52:36PM +0000, Felipe Costa wrote:
> >Is not that a blocker?
> 
> It is not clear to me if this is a blocker. I don't think so. Are you concerned
> about the sub-expression capture?

Exactly. Or does not ModSec depend on that pcre feature?

> It is also not clear if it will really improve the performance, as our content
> is usually very small. I guess it is not so hard to test.

If the API is similar, then a perf test definitely makes sense.

Ahoj,

Christian


-- 
We cannot ensure success, but we can deserve it.
-- George Washington

Re: [Mod-security-developers] Hyperscan

[Robert P. <rpa...@fe...>]

Not having PCRE backreferences should definitely be a blocker, as that
significantly limits the flexiblity of the expression language. I also
think that, in most cases, the scope of regex targets is not such that this
would present a significant performance improvement.

On Tue, Apr 5, 2016 at 9:52 AM, Felipe Costa <FC...@tr...> wrote:

>
> Hi,
>
>
> On 4/5/16, 1:53 AM, "Christian Folini" <chr...@ne...>
> wrote:
>
> >It seems to come with the following string attached:
> >
> >> If you need features (e.g. sub-expression capture) or pattern
> >> constructs
> >> (e.g. back-references or arbitrary look around asserts) you may not be
> >> able to use Hyperscan (although we do have a pre-filter mode that can
> >> optimize some cases).
> >
> >->
> http://scanmail.trustwave.com/?c=4062&d=_8SD17SSFxcGTyITZx90bheVWxEf38or3BaqDWrOIQ&s=5&u=https%3a%2f%2f01%2eorg%2fhyperscan%2fblogs%2fgeofflangdale%2f2015%2fwelcome-hyperscan
> >
> >Is not that a blocker?
>
>
> It is not clear to me if this is a blocker. I don't think so. Are you
> concerned
> about the sub-expression capture?
>
>
> It is also not clear if it will really improve the performance, as our
> content
> is usually very small. I guess it is not so hard to test.
>
>
> Br.,
> Felipe “Zimmerle” Costa
> Security Researcher, Lead Developer ModSecurity.
>
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
>
>
>
>
>
>
>
>
> >
>
> ________________________________
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
> ------------------------------------------------------------------------------
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>

Re: [Mod-security-developers] Hyperscan

[Felipe C. <FC...@tr...>]

Hi,


On 4/5/16, 1:53 AM, "Christian Folini" <chr...@ne...> wrote:

>It seems to come with the following string attached:
>
>> If you need features (e.g. sub-expression capture) or pattern
>> constructs
>> (e.g. back-references or arbitrary look around asserts) you may not be
>> able to use Hyperscan (although we do have a pre-filter mode that can
>> optimize some cases).
>
>-> http://scanmail.trustwave.com/?c=4062&d=_8SD17SSFxcGTyITZx90bheVWxEf38or3BaqDWrOIQ&s=5&u=https%3a%2f%2f01%2eorg%2fhyperscan%2fblogs%2fgeofflangdale%2f2015%2fwelcome-hyperscan
>
>Is not that a blocker?


It is not clear to me if this is a blocker. I don't think so. Are you concerned
about the sub-expression capture?


It is also not clear if it will really improve the performance, as our content
is usually very small. I guess it is not so hard to test.


Br.,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>








>

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [Mod-security-developers] Hyperscan

[Christian F. <chr...@ne...>]

Hello,

On Fri, Apr 01, 2016 at 01:59:38PM +0000, Felipe Costa wrote:
> In fact that is an interesting replacement for the libpcre.

It seems to come with the following string attached:

> If you need features (e.g. sub-expression capture) or pattern
> constructs
> (e.g. back-references or arbitrary look around asserts) you may not be
> able to use Hyperscan (although we do have a pre-filter mode that can
> optimize some cases).

-> https://01.org/hyperscan/blogs/geofflangdale/2015/welcome-hyperscan

Is not that a blocker?

Ahoj,

Christian


-- 
When there are too many policemen, there can be no liberty. When there
are too many soldiers, there can be no peace. When there are too many
lawyers, there can be no justice.
-- Lin Yutang

Re: [Mod-security-developers] Hyperscan

[Felipe C. <FC...@tr...>]

Hi Breno,

In fact that is an interesting replacement for the libpcre. We may be able to
make the regex engine inside ModSecurity v3 something pluggable. So it will be
easy to integrate and test a new regex engine.

During the elaboration of ModSecurity v3 we have considered to replace the regex
engine. Chaim suggested another engine that was capable to deal with utf-8
string more easily, I don’t recall the name. Chaim?

Considering that I've created this wrapper for the regex utilization:
https://github.com/SpiderLabs/ModSecurity/blob/libmodsecurity/src/utils/regex.cc

https://github.com/SpiderLabs/ModSecurity/blob/libmodsecurity/src/utils/regex.h


To replace the engine we just have to change the code in those files.

Are you interested to make a contribution on that area? If so, we can help you.


Br.,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>






From:  Breno Silva <bre...@gm...>
Reply-To:  "mod...@li..." <mod...@li...>
Date:  Thursday, March 31, 2016 at 6:27 PM
To:  mod-security-developers <mod...@li...>
Subject:  [Mod-security-developers] Hyperscan


Interesting project to be considered by modsecurity
https://01.org/hyperscan <http://scanmail.trustwave.com/?c=4062&d=oab91mRoxVs_Ad9K3z51iYss857g0PdnLYNBfKNJYg&s=5&u=https%3a%2f%2f01%2eorg%2fhyperscan>
Breno

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.