Thread: [Mod-security-developers] Directive Names in NginX and IIS
Brought to you by:
victorhora,
zimmerletw
From: Christian F. <chr...@ne...> - 2016-09-05 13:40:07
|
Hi there, The sourcecode defines the function SecGeoLookupDB. However, all references in the documentation point to SecGeoLookupDb. Apache directives are case insensitive. So this is no big deal. But what's the matter on NginX and IIS. Do both variants work there? Or has the documentation to be adopted. And how about v3? Ahoj, Christian -- https://www.feistyduck.com/training/modsecurity-training-course mailto:chr...@ne... twitter: @ChrFolini |
From: Felipe C. <FC...@tr...> - 2016-09-05 13:58:41
|
Hi Christian, Good question. The directive names in all versions (including nginx, iis and libModSecurity) should be treated in the same way. Here is the piece of code from libModSecurity for this specific directive: https://github.com/SpiderLabs/ModSecurity/blob/libmodsecurity/src/parser/seclang-scanner.ll#L80 Notice the `?i:’, this is the key to make the directive case insensitive. Br., Felipe “Zimmerle” Costa Security Researcher, Lead Developer ModSecurity. Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> On 9/5/16, 10:39 AM, "Christian Folini" <chr...@ne...> wrote: >Hi there, > >The sourcecode defines the function >SecGeoLookupDB. >However, all references in the documentation point to >SecGeoLookupDb. > >Apache directives are case insensitive. So this is no big deal. >But what's the matter on NginX and IIS. Do both variants work there? >Or has the documentation to be adopted. And how about v3? > >Ahoj, > >Christian > > >-- >https://scanmail.trustwave.com/?c=4062&d=yfXN15-hXAx9I7-upzFOf1_QB-ShRJISXePxha0Rmw&s=5&u=https%3a%2f%2fwww%2efeistyduck%2ecom%2ftraining%2fmodsecurity-training-course >mailto:chr...@ne... >twitter: @ChrFolini > >------------------------------------------------------------------------------ >_______________________________________________ >mod-security-developers mailing list >mod...@li... >https://scanmail.trustwave.com/?c=4062&d=yfXN15-hXAx9I7-upzFOf1_QB-ShRJISXef1iqtFyg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers >ModSecurity Services from Trustwave's SpiderLabs: >https://www.trustwave.com/spiderLabs.php ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Christian F. <chr...@ne...> - 2016-09-05 14:14:47
|
Hello Felipe, Thank you for your swift response. On Mon, Sep 05, 2016 at 01:58:24PM +0000, Felipe Costa wrote: > Good question. The directive names in all versions (including nginx, iis and libModSecurity) > should be treated in the same way. With Apache, it is the Apache directive parser which guarantees that directives are case insensitive. So I was not sure for the other cases. But you confirm it's the same with IIS and nginX (and libmodsec, where you made sure it works consitently)? Ahoj, Christian -- Ignorance, allied with power, is the most ferocious enemy justice can have. -- James Baldwin |
From: Felipe C. <FC...@tr...> - 2016-09-05 15:52:13
|
Hi Christian, On 9/5/16, 11:14 AM, "Christian Folini" <chr...@ne...> wrote: (…) >With Apache, it is the Apache directive parser which guarantees that >directives are case insensitive. So I was not sure for the other >cases. But you confirm it's the same with IIS and nginX (and >libmodsec, where you made sure it works consitently)? > For the apache version, like you cited, we use the Apache parser. For the standalone modules (2.x family) we use standalone parser which is basically the same thing as Apache does: [1]. The libmodsecurity implementation is the most different one, that involves a grammar. I would say that if one specific version is acting different from the others we have a bug. Since the Apache is the first one, we have to respect what we have there. [1] https://github.com/SpiderLabs/ModSecurity/blob/master/standalone/config.c Br., Felipe “Zimmerle” Costa Security Researcher, Lead Developer ModSecurity. Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Christian F. <chr...@ne...> - 2016-09-05 19:31:37
|
Great. Thanks. As I stated in my first message, the sourcecode says it's SecGeoLookupDB and SecGsbLookupDB, while the documentation consistently speaks of ...Db. Db would also be consistent with the naming schema used throughout the other directives, operators, actions etc. So I wonder if the sourcecode should not follow the schema. Not that it would really matter as long as the parser is case insensitive... ;) Ahoj, Christian On Mon, Sep 05, 2016 at 03:51:57PM +0000, Felipe Costa wrote: > > Hi Christian, > > > > On 9/5/16, 11:14 AM, "Christian Folini" <chr...@ne...> wrote: > > (…) > > >With Apache, it is the Apache directive parser which guarantees that > >directives are case insensitive. So I was not sure for the other > >cases. But you confirm it's the same with IIS and nginX (and > >libmodsec, where you made sure it works consitently)? > > > > > For the apache version, like you cited, we use the Apache parser. For the standalone > modules (2.x family) we use standalone parser which is basically the same thing as > Apache does: [1]. The libmodsecurity implementation is the most different one, that > involves a grammar. > > I would say that if one specific version is acting different from the others we have a bug. > Since the Apache is the first one, we have to respect what we have there. > > [1] https://github.com/SpiderLabs/ModSecurity/blob/master/standalone/config.c > > > > Br., > Felipe “Zimmerle” Costa > Security Researcher, Lead Developer ModSecurity. > Trustwave | SMART SECURITY ON DEMAND > www.trustwave.com <http://www.trustwave.com/> > > > > > > ________________________________ > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. > ------------------------------------------------------------------------------ > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php -- https://www.feistyduck.com/training/modsecurity-training-course mailto:chr...@ne... twitter: @ChrFolini |