mod-security-users Mailing List for ModSecurity (Page 16)

Brought to you by: victorhora, zimmerletw

mod-security-users — General discussion about mod_security

You can subscribe to this list here.

2003	Jan	Feb	Mar	Apr	May	Jun (2)	Jul (17)	Aug (7)	Sep (8)	Oct (11)	Nov (14)	Dec (19)
2004	Jan (46)	Feb (14)	Mar (20)	Apr (48)	May (15)	Jun (20)	Jul (36)	Aug (24)	Sep (31)	Oct (28)	Nov (23)	Dec (12)
2005	Jan (69)	Feb (61)	Mar (82)	Apr (53)	May (26)	Jun (71)	Jul (27)	Aug (52)	Sep (28)	Oct (49)	Nov (104)	Dec (74)
2006	Jan (61)	Feb (148)	Mar (82)	Apr (139)	May (65)	Jun (116)	Jul (92)	Aug (101)	Sep (84)	Oct (103)	Nov (174)	Dec (102)
2007	Jan (166)	Feb (161)	Mar (181)	Apr (152)	May (192)	Jun (250)	Jul (127)	Aug (165)	Sep (97)	Oct (135)	Nov (206)	Dec (56)
2008	Jan (160)	Feb (135)	Mar (98)	Apr (89)	May (115)	Jun (95)	Jul (188)	Aug (167)	Sep (153)	Oct (84)	Nov (82)	Dec (85)
2009	Jan (139)	Feb (133)	Mar (128)	Apr (105)	May (135)	Jun (79)	Jul (92)	Aug (134)	Sep (73)	Oct (112)	Nov (159)	Dec (80)
2010	Jan (100)	Feb (116)	Mar (130)	Apr (59)	May (88)	Jun (59)	Jul (69)	Aug (67)	Sep (82)	Oct (76)	Nov (59)	Dec (34)
2011	Jan (84)	Feb (74)	Mar (81)	Apr (94)	May (188)	Jun (72)	Jul (118)	Aug (109)	Sep (111)	Oct (80)	Nov (51)	Dec (44)
2012	Jan (80)	Feb (123)	Mar (46)	Apr (12)	May (40)	Jun (62)	Jul (95)	Aug (66)	Sep (65)	Oct (53)	Nov (42)	Dec (60)
2013	Jan (96)	Feb (96)	Mar (108)	Apr (72)	May (115)	Jun (111)	Jul (114)	Aug (87)	Sep (93)	Oct (97)	Nov (104)	Dec (82)
2014	Jan (96)	Feb (77)	Mar (71)	Apr (40)	May (48)	Jun (78)	Jul (54)	Aug (44)	Sep (58)	Oct (79)	Nov (51)	Dec (52)
2015	Jan (55)	Feb (59)	Mar (48)	Apr (40)	May (45)	Jun (63)	Jul (36)	Aug (49)	Sep (35)	Oct (58)	Nov (21)	Dec (47)
2016	Jan (35)	Feb (81)	Mar (43)	Apr (41)	May (77)	Jun (52)	Jul (39)	Aug (34)	Sep (107)	Oct (67)	Nov (54)	Dec (20)
2017	Jan (99)	Feb (37)	Mar (86)	Apr (47)	May (57)	Jun (55)	Jul (34)	Aug (31)	Sep (16)	Oct (49)	Nov (53)	Dec (33)
2018	Jan (25)	Feb (11)	Mar (79)	Apr (77)	May (5)	Jun (19)	Jul (17)	Aug (7)	Sep (13)	Oct (22)	Nov (13)	Dec (68)
2019	Jan (44)	Feb (17)	Mar (40)	Apr (39)	May (18)	Jun (14)	Jul (20)	Aug (31)	Sep (11)	Oct (35)	Nov (3)	Dec (10)
2020	Jan (32)	Feb (16)	Mar (10)	Apr (22)	May (2)	Jun (34)	Jul (1)	Aug (8)	Sep (36)	Oct (16)	Nov (13)	Dec (10)
2021	Jan (16)	Feb (23)	Mar (45)	Apr (28)	May (6)	Jun (17)	Jul (8)	Aug (1)	Sep (2)	Oct (35)	Nov	Dec (5)
2022	Jan	Feb (17)	Mar (23)	Apr (23)	May (9)	Jun (8)	Jul	Aug	Sep (7)	Oct (5)	Nov (16)	Dec (4)
2023	Jan	Feb	Mar (3)	Apr	May (1)	Jun (4)	Jul (1)	Aug	Sep (2)	Oct (1)	Nov	Dec
2024	Jan (7)	Feb (13)	Mar (18)	Apr	May	Jun	Jul	Aug	Sep (2)	Oct (1)	Nov (5)	Dec (3)
2025	Jan	Feb	Mar	Apr (12)	May (12)	Jun (2)	Jul (3)	Aug	Sep	Oct	Nov	Dec

Flat | Threaded

<< < 1 .. 14 15 16 17 18 .. 587 > >> (Page 16 of 587)

Re: [mod-security-users] Using 'deprecatevar' on multiple variables in a collection

From: Andrew H. <and...@lo...> - 2021-01-11 14:48:59

Hi,

I wanted to follow up with some further investigation into this.
Hopefully, these findings may help someone else in a similar scenario
in the future.

I ended up going through ModSecurity's (2.x) source to confirm how the
'deprecatevar' action works. Looking at re_actions.c confirmed my
suspicion: all variables in a given persistent collection are tied to
a *single timestamp* (LAST_UPDATE_TIME) for the purposes of
calculating their deprecation. This can cause strange behaviour when
deprecatevar is used on multiple variables in the same collection.

I've written a full explanation about this in a blog post, which can
be found here: https://www.loadbalancer.org/blog/modsecurity-and-the-case-of-the-never-decreasing-variables/

I've also written a Lua script which I'm using to work around this
issue. The script has been published to GitHub, here:
https://github.com/loadbalancer-org/modsec_decrement_script

If nothing else, this was a fun opportunity to spend time poking
around ModSecurity's source code :)

Thanks,
Andrew

-- 
Andrew Howe
Loadbalancer.org Ltd.
www.loadbalancer.org

Re: [mod-security-users] CRS Issues being automatically closed?

From: Bill S. <bi...@go...> - 2021-01-11 14:11:49

Christian,
Thank you for the explanation.

On Mon, Jan 11, 2021, 1:22 AM Christian Folini <chr...@ne...>
wrote:

> Hey Jamie,
>
> This is the mailing list for the ModSecurity engine. The CRS project has a
> separate mailinglist over at
>
> https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project
>
> But let me answer your question nevertheless:
>
> You are correct and this configuration to close stale issues after 120
> days is
> offensive. And we did not take it lightly. We have been struggling with not
> being able to address all the issues for years. We tried different methods,
> scheduling, assigning, highlighting, inviting the wider community to help,
> tagging as "#goodfirstissue" etc.  But it did not bring a real solution:
> The
> issues pile up and new issues (also vital ones!) can end up buried under a
> pile that is too big to plough through.
>
> As most open source projects, CRS is a volunteer driven project. People
> work
> on CRS because they want to work on CRS. Some steal time from their
> companies
> to do so, some put their children to bed to hack away. But it is always
> time
> that our developers give to the project freely. I as a co-leader of the
> project can not force issues into their hands. All I can do is making CRS a
> fun project to work with and prepare the environment in a way that makes
> it easy and cool to work on CRS.
>
> And the huge pile of issues started to have a chilling effect on
> developers or
> new developers. There is a moment where the pile is so big, you are not
> even
> addressing what you can address because of all the rest. Looking at the
> 36 issues open right now feels managable and most issues are being
> addressed.
> (You can tell easily, since most open issues do have a conversation
> history.)
>
> So we talked about the step a big deal and we took the decision about a
> year
> ago.  Ultimately it was a decision to pick between the goodwill and health
> of
> the developers and the goodwill of individual users. I am really not happy
> with the way it is and I have a new plan to help us address all the issues
> before they get stale. But it is not quite ready to share.
>
> What can you do: If you care about an issue, then comment on it. We read
> every
> comment on every issue. If get the notice that the issue has been tagged
> for
> removal (the tag "Stale issue" is being applied 2 weeks or so before it
> gets
> closed), then comment on the issue and tell us you still care. Also
> multiple
> users chiming in give an issue priority in our eyes. We currently do an
> issue
> chat once a month (3rd Monday every month), where we look into 5-10 open
> issues. One way to make sure an issue makes it into that meeting is the tag
> "Meeting agenda". Ask us to add this tag and we will take it on the list.
>
> All in all, using the services of the stale issue bot is not a sign that
> we do
> not care. Quite the opposite. We care a lot and we feel bad about using the
> stale issue bot. But it was the only solution we saw.
>
> Hope this explains our reasoning a bit.
>
> Best regards and thanks for speaking up,
>
> Christian Folini, CRS Co-Lead
>
>
>
>
>
>
> On Mon, Jan 11, 2021 at 12:49:17AM +0000, Jamie Burchell wrote:
> > Hi CRS Team
> >
> > I'm disappointed to see that issues I'm reporting (FPs) (e.g.
> > https://github.com/coreruleset/coreruleset/issues/1864) are being
> > automatically closed by stalebot. I fully understand that there may not
> be
> > the time nor the resources to address issues reported, and I know why
> > stalebot exists, but I don't think rule issues that people have spent
> time
> > looking at and reporting should be closed before they are actually
> > addressed. It certainly doesn't encourage me to continue reporting them
> > moving forward.
> >
> > Cheers, Jamie
>
>
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] CRS Issues being automatically closed?

From: Christian F. <chr...@ne...> - 2021-01-11 14:02:53

Hello Jamie,

On Mon, Jan 11, 2021 at 12:10:03PM -0000, Jamie Burchell wrote:
> Thanks for the response and apologise for posting in the incorrect list.

No worries.

> Great to see there is things in development to address this.
> 
> I just wanted to re-iterate that the issue I raise is not one of
> expectation for anyone to look at the issues reported (in their spare time
> or otherwise) - I fully understand your points here. Rather, I would just
> prefer to see current issues not automatically closed and buried.

Ah. Thanks. We're full of guilt already, so my reaction tends to be a bit
on the defensive side when it comes to this topic.

The issues are not gone, they are just a bit hidden. But I have now added a
link to a query that lets you filter for them on github. The link is in our
README and also on the coreruleset.org website. I think we should have added
this before and also documented the process much earlier. Thanks for pointing
it out.

Cheers,

Christian


> 
> Best Regards,
> Jamie
> 
> -----Original Message-----
> From: Christian Folini <chr...@ne...>
> Sent: 11 January 2021 07:21
> To: mod...@li...
> Subject: Re: [mod-security-users] CRS Issues being automatically closed?
> 
> Hey Jamie,
> 
> This is the mailing list for the ModSecurity engine. The CRS project has a
> separate mailinglist over at
> 
> https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project
> 
> But let me answer your question nevertheless:
> 
> You are correct and this configuration to close stale issues after 120
> days is offensive. And we did not take it lightly. We have been struggling
> with not being able to address all the issues for years. We tried
> different methods, scheduling, assigning, highlighting, inviting the wider
> community to help, tagging as "#goodfirstissue" etc.  But it did not bring
> a real solution: The issues pile up and new issues (also vital ones!) can
> end up buried under a pile that is too big to plough through.
> 
> As most open source projects, CRS is a volunteer driven project. People
> work on CRS because they want to work on CRS. Some steal time from their
> companies to do so, some put their children to bed to hack away. But it is
> always time that our developers give to the project freely. I as a
> co-leader of the project can not force issues into their hands. All I can
> do is making CRS a fun project to work with and prepare the environment in
> a way that makes it easy and cool to work on CRS.
> 
> And the huge pile of issues started to have a chilling effect on
> developers or new developers. There is a moment where the pile is so big,
> you are not even addressing what you can address because of all the rest.
> Looking at the
> 36 issues open right now feels managable and most issues are being
> addressed.
> (You can tell easily, since most open issues do have a conversation
> history.)
> 
> So we talked about the step a big deal and we took the decision about a
> year ago.  Ultimately it was a decision to pick between the goodwill and
> health of the developers and the goodwill of individual users. I am really
> not happy with the way it is and I have a new plan to help us address all
> the issues before they get stale. But it is not quite ready to share.
> 
> What can you do: If you care about an issue, then comment on it. We read
> every comment on every issue. If get the notice that the issue has been
> tagged for removal (the tag "Stale issue" is being applied 2 weeks or so
> before it gets closed), then comment on the issue and tell us you still
> care. Also multiple users chiming in give an issue priority in our eyes.
> We currently do an issue chat once a month (3rd Monday every month), where
> we look into 5-10 open issues. One way to make sure an issue makes it into
> that meeting is the tag "Meeting agenda". Ask us to add this tag and we
> will take it on the list.
> 
> All in all, using the services of the stale issue bot is not a sign that
> we do not care. Quite the opposite. We care a lot and we feel bad about
> using the stale issue bot. But it was the only solution we saw.
> 
> Hope this explains our reasoning a bit.
> 
> Best regards and thanks for speaking up,
> 
> Christian Folini, CRS Co-Lead
> 
> 
> 
> 
> 
> 
> On Mon, Jan 11, 2021 at 12:49:17AM +0000, Jamie Burchell wrote:
> > Hi CRS Team
> >
> > I'm disappointed to see that issues I'm reporting (FPs) (e.g.
> > https://github.com/coreruleset/coreruleset/issues/1864) are being
> > automatically closed by stalebot. I fully understand that there may
> > not be the time nor the resources to address issues reported, and I
> > know why stalebot exists, but I don't think rule issues that people
> > have spent time looking at and reporting should be closed before they
> > are actually addressed. It certainly doesn't encourage me to continue
> > reporting them moving forward.
> >
> > Cheers, Jamie
> 
> 
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> 
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] CRS Issues being automatically closed?

From: Jamie B. <ja...@ib...> - 2021-01-11 12:18:13

Hi Christian

Thanks for the response and apologise for posting in the incorrect list.
Great to see there is things in development to address this.

I just wanted to re-iterate that the issue I raise is not one of
expectation for anyone to look at the issues reported (in their spare time
or otherwise) - I fully understand your points here. Rather, I would just
prefer to see current issues not automatically closed and buried.

Best Regards,
Jamie

-----Original Message-----
From: Christian Folini <chr...@ne...>
Sent: 11 January 2021 07:21
To: mod...@li...
Subject: Re: [mod-security-users] CRS Issues being automatically closed?

Hey Jamie,

This is the mailing list for the ModSecurity engine. The CRS project has a
separate mailinglist over at

https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project

But let me answer your question nevertheless:

You are correct and this configuration to close stale issues after 120
days is offensive. And we did not take it lightly. We have been struggling
with not being able to address all the issues for years. We tried
different methods, scheduling, assigning, highlighting, inviting the wider
community to help, tagging as "#goodfirstissue" etc.  But it did not bring
a real solution: The issues pile up and new issues (also vital ones!) can
end up buried under a pile that is too big to plough through.

As most open source projects, CRS is a volunteer driven project. People
work on CRS because they want to work on CRS. Some steal time from their
companies to do so, some put their children to bed to hack away. But it is
always time that our developers give to the project freely. I as a
co-leader of the project can not force issues into their hands. All I can
do is making CRS a fun project to work with and prepare the environment in
a way that makes it easy and cool to work on CRS.

And the huge pile of issues started to have a chilling effect on
developers or new developers. There is a moment where the pile is so big,
you are not even addressing what you can address because of all the rest.
Looking at the
36 issues open right now feels managable and most issues are being
addressed.
(You can tell easily, since most open issues do have a conversation
history.)

So we talked about the step a big deal and we took the decision about a
year ago.  Ultimately it was a decision to pick between the goodwill and
health of the developers and the goodwill of individual users. I am really
not happy with the way it is and I have a new plan to help us address all
the issues before they get stale. But it is not quite ready to share.

What can you do: If you care about an issue, then comment on it. We read
every comment on every issue. If get the notice that the issue has been
tagged for removal (the tag "Stale issue" is being applied 2 weeks or so
before it gets closed), then comment on the issue and tell us you still
care. Also multiple users chiming in give an issue priority in our eyes.
We currently do an issue chat once a month (3rd Monday every month), where
we look into 5-10 open issues. One way to make sure an issue makes it into
that meeting is the tag "Meeting agenda". Ask us to add this tag and we
will take it on the list.

All in all, using the services of the stale issue bot is not a sign that
we do not care. Quite the opposite. We care a lot and we feel bad about
using the stale issue bot. But it was the only solution we saw.

Hope this explains our reasoning a bit.

Best regards and thanks for speaking up,

Christian Folini, CRS Co-Lead

On Mon, Jan 11, 2021 at 12:49:17AM +0000, Jamie Burchell wrote:
> Hi CRS Team
>
> I'm disappointed to see that issues I'm reporting (FPs) (e.g.
> https://github.com/coreruleset/coreruleset/issues/1864) are being
> automatically closed by stalebot. I fully understand that there may
> not be the time nor the resources to address issues reported, and I
> know why stalebot exists, but I don't think rule issues that people
> have spent time looking at and reporting should be closed before they
> are actually addressed. It certainly doesn't encourage me to continue
> reporting them moving forward.
>
> Cheers, Jamie

> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] CRS Issues being automatically closed?

From: Christian F. <chr...@ne...> - 2021-01-11 07:21:26

Hey Jamie,

This is the mailing list for the ModSecurity engine. The CRS project has a
separate mailinglist over at

https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project

But let me answer your question nevertheless:

You are correct and this configuration to close stale issues after 120 days is
offensive. And we did not take it lightly. We have been struggling with not
being able to address all the issues for years. We tried different methods,
scheduling, assigning, highlighting, inviting the wider community to help,
tagging as "#goodfirstissue" etc.  But it did not bring a real solution: The
issues pile up and new issues (also vital ones!) can end up buried under a
pile that is too big to plough through.

As most open source projects, CRS is a volunteer driven project. People work
on CRS because they want to work on CRS. Some steal time from their companies
to do so, some put their children to bed to hack away. But it is always time
that our developers give to the project freely. I as a co-leader of the
project can not force issues into their hands. All I can do is making CRS a
fun project to work with and prepare the environment in a way that makes
it easy and cool to work on CRS.

And the huge pile of issues started to have a chilling effect on developers or
new developers. There is a moment where the pile is so big, you are not even
addressing what you can address because of all the rest. Looking at the 
36 issues open right now feels managable and most issues are being addressed.
(You can tell easily, since most open issues do have a conversation history.)

So we talked about the step a big deal and we took the decision about a year
ago.  Ultimately it was a decision to pick between the goodwill and health of
the developers and the goodwill of individual users. I am really not happy
with the way it is and I have a new plan to help us address all the issues
before they get stale. But it is not quite ready to share.

What can you do: If you care about an issue, then comment on it. We read every
comment on every issue. If get the notice that the issue has been tagged for
removal (the tag "Stale issue" is being applied 2 weeks or so before it gets
closed), then comment on the issue and tell us you still care. Also multiple
users chiming in give an issue priority in our eyes. We currently do an issue
chat once a month (3rd Monday every month), where we look into 5-10 open
issues. One way to make sure an issue makes it into that meeting is the tag
"Meeting agenda". Ask us to add this tag and we will take it on the list.

All in all, using the services of the stale issue bot is not a sign that we do
not care. Quite the opposite. We care a lot and we feel bad about using the
stale issue bot. But it was the only solution we saw.

Hope this explains our reasoning a bit.

Best regards and thanks for speaking up,

Christian Folini, CRS Co-Lead

On Mon, Jan 11, 2021 at 12:49:17AM +0000, Jamie Burchell wrote:
> Hi CRS Team
> 
> I'm disappointed to see that issues I'm reporting (FPs) (e.g.
> https://github.com/coreruleset/coreruleset/issues/1864) are being
> automatically closed by stalebot. I fully understand that there may not be
> the time nor the resources to address issues reported, and I know why
> stalebot exists, but I don't think rule issues that people have spent time
> looking at and reporting should be closed before they are actually
> addressed. It certainly doesn't encourage me to continue reporting them
> moving forward.
> 
> Cheers, Jamie

> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

[mod-security-users] CRS Issues being automatically closed?

From: Jamie B. <ja...@ib...> - 2021-01-11 02:42:41

Hi CRS Team

I'm disappointed to see that issues I'm reporting (FPs) (e.g. https://github.com/coreruleset/coreruleset/issues/1864) are being automatically closed by stalebot. I fully understand that there may not be the time nor the resources to address issues reported, and I know why stalebot exists, but I don't think rule issues that people have spent time looking at and reporting should be closed before they are actually addressed. It certainly doesn't encourage me to continue reporting them moving forward.

Cheers,
Jamie

Re: [mod-security-users] The difference between v2 and v3

From: Michael W. <sco...@ya...> - 2021-01-08 17:05:25

Thanks for the info
Tel:       01257 266394 Mobile: 07944032617 Email:  sco...@ya... 

    On Friday, 8 January 2021, 15:37:02 GMT, Christian Folini <chr...@ne...> wrote:  

 On Fri, Jan 08, 2021 at 02:59:34PM +0000, Michael Woods via mod-security-users
wrote:
> We are current users of version 2 of mod_security and wondering what is the
> differences between this and version 3. What issues are experienced when
> moving to version 2?regards

Different when moving from v2 to v3? Or the other way around? Your wording is
not quite clear, sorry.

Brief summary of what is potentially a big discussion:

v3 has the advantage it runs "stable" on nginx. I put this in apostrophes,
since it has certain gaps in the implementation and suffers from a series of
weaknesses.

The ModSecurity reference platform for the OWASP ModSecurity Core Rule Set
project (CRS) is ModSecurity v2 on Apache 2.4.

v3 fails to pass the testsuite of CRS  because of the issues named above
and also has severe performance problems.

On the bright side, v3 is actively developed, while v2 is stable but no longer
under active development. Also, ModSecurity v2 is not stable on Nginx.

Regs,

Christian

> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] The difference between v2 and v3

From: Christian F. <chr...@ne...> - 2021-01-08 15:36:24

On Fri, Jan 08, 2021 at 02:59:34PM +0000, Michael Woods via mod-security-users
wrote:
> We are current users of version 2 of mod_security and wondering what is the
> differences between this and version 3. What issues are experienced when
> moving to version 2?regards

Different when moving from v2 to v3? Or the other way around? Your wording is
not quite clear, sorry.

Brief summary of what is potentially a big discussion:

v3 has the advantage it runs "stable" on nginx. I put this in apostrophes,
since it has certain gaps in the implementation and suffers from a series of
weaknesses.

The ModSecurity reference platform for the OWASP ModSecurity Core Rule Set
project (CRS) is ModSecurity v2 on Apache 2.4.

v3 fails to pass the testsuite of CRS  because of the issues named above
and also has severe performance problems.

On the bright side, v3 is actively developed, while v2 is stable but no longer
under active development. Also, ModSecurity v2 is not stable on Nginx.

Regs,

Christian

> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

[mod-security-users] The difference between v2 and v3

From: Michael W. <sco...@ya...> - 2021-01-08 14:59:51

We are current users of version 2 of mod_security and wondering what is the differences between this and version 3. What issues are experienced when moving to version 2?regards

[mod-security-users] A nested json rule question

From: Brian C. <bri...@ml...> - 2021-01-06 11:25:36

Hi all,
I'm using mod_security 3.x.
I have a post request which the body contains nested json like below,

*{*
*  "field1": 111,*
*  "field2": [*
*    {*
*      "ff1": 1111*
*    },*
*    {*
*      "ff2": {*
*        "fff1": 11111*
*      }*
*    }*
*  ]*
*}*

I want to check the field exist so that I can make sure the post request is
legal.

So I wrote the rule below:
*SecRule ARGS_NAMES:json.field2.ff2.fff1 "fff1" "id:'200444',phase:3,log"*

Is this correct? Or should I change pattens to *"**json.field2.ff2.fff1"*?

As mentioned above, if I modified the rule to
*SecRule ARGS_NAMES "json.field2.ff2.fff1**"(or "fff1")
"id:'200444',phase:3,log"*

I should get the same result, right?


Best Regards,
Brian

Re: [mod-security-users] SecRuleUpdateTargetById in 3.0.4

From: Jose R R <jos...@me...> - 2021-01-05 19:54:36

On Tue, Jan 5, 2021 at 9:21 AM Henri Cook <he...@pr...> wrote:
>
> Hi everyone,
>
> I attempted an upgrade to 3.0.4 today from 3.0.3. Unfortunately I can't get over a hurdle.
>
> I have an existing rule:
>
> ```
> # Rule 930110 matches "..\u003e" in body (HTML escaped JSON value "..<")
> # Replacing REQUEST_BODY with ARGS_NAMES|ARGS fixes the issue as the rule see
> # the value after Unicode decoding '\u003e' => '>'.
> SecRuleUpdateTargetById 930110 "!REQUEST_BODY"
> SecRuleUpdateTargetById 930110 ARGS_NAMES,ARGS
> ```
>
> Due to modsec issue https://github.com/SpiderLabs/ModSecurity/issues/2251 it seems i'm using the 'non-regex' form of the rule that's fixed in master but not yet released.
>
> First I tried a patch, which failed to apply (any advice on how to patch this from the 3.0.4 tag would be appreciated) with this in my build process:
>
> ```
> curl -fSL https://github.com/SpiderLabs/ModSecurity/commit/1b1fdc055b8071ad3b24573abfe9b96e546c7abf.patch | patch -p1 && \
> ```
>
> When that didn't apply
CHANGES.rej is the only (non-)issue as the patch effectively applies
(inside your modsecurity-v3.0.4 directory) to all other files as .. |
patch --fuzz=0 -p1 .
As far as I can tell, you may edit CHANGES file manually by adding the
content inside CHANGES.rej and then removing the latter.

> I tried (as a temporary workaround) removing the rule, but for some reason it was still triggering in my unit tests. For that I used:
>
> ```
> SecRuleRemoveById 930110
> ```
>
> I don't really know where to go from here, i'm using the CRS 3.2.0 ruleset.
>
> Best Regards,
>
> Henri
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

Best Professional Regards.

--
Jose R R
http://metztli.it
---------------------------------------------------------------------------------------------
Download Metztli Reiser4: Debian Buster w/ Linux 5.9.15 AMD64
---------------------------------------------------------------------------------------------
feats ZSTD compression https://sf.net/projects/metztli-reiser4/
---------------------------------------------------------------------------------------------
or SFRN 5.1.3, Metztli Reiser5 https://sf.net/projects/debian-reiser4/
-------------------------------------------------------------------------------------------
Official current Reiser4 resources: https://reiser4.wiki.kernel.org/
-------------------------------------------------------------------------------------------
Build Engine X 1.19.6 with built-in Nginx connector v1.0.1 module:
------------------------------------------------------------------------------------------
https://github.com/Metztli/debian-modsecurity-nginx-connector
------------------------------------------------------------------------------------------

[mod-security-users] SecRuleUpdateTargetById in 3.0.4

From: Henri C. <he...@pr...> - 2021-01-05 17:19:42

Hi everyone,

I attempted an upgrade to 3.0.4 today from 3.0.3. Unfortunately I can't get
over a hurdle.

I have an existing rule:

```
# Rule 930110 matches "..\u003e" in body (HTML escaped JSON value "..<")
# Replacing REQUEST_BODY with ARGS_NAMES|ARGS fixes the issue as the rule
see
# the value after Unicode decoding '\u003e' => '>'.
SecRuleUpdateTargetById 930110 "!REQUEST_BODY"
SecRuleUpdateTargetById 930110 ARGS_NAMES,ARGS
```

Due to modsec issue https://github.com/SpiderLabs/ModSecurity/issues/2251
it seems i'm using the 'non-regex' form of the rule that's fixed in master
but not yet released.

First I tried a patch, which failed to apply (any advice on how to patch
this from the 3.0.4 tag would be appreciated) with this in my build process:

```
curl -fSL
https://github.com/SpiderLabs/ModSecurity/commit/1b1fdc055b8071ad3b24573abfe9b96e546c7abf.patch
| patch -p1 && \
```

When that didn't apply I tried (as a temporary workaround) removing the
rule, but for some reason it was still triggering in my unit tests. For
that I used:

```
SecRuleRemoveById 930110
```

I don't really know where to go from here, i'm using the CRS 3.2.0 ruleset.

Best Regards,

Henri

[mod-security-users] High memory usage with nginx on 3.0.3

From: Henri C. <he...@pr...> - 2021-01-05 17:14:26

Hi all,

I'm running modsecurity 3.0.3 and modsecurity-nginx 1.0.0

Recently i've been working with a new payload, which is about 5.5MB of
JSON. When anyone POSTs this to my nginx instance memory on the container
goes from about 30MB (resting rate) to 140MB!

I've tried turning off the rule engine (ctl:ruleEngine=off) for traffic to
this specific path (@beginsWith /foo) but memory usage is still jumping
massively.

Can anyone think that might be causing this? and how I might stop it? I
could live without having this content inspected if that's what it takes.

Best Regards,

Henri

[mod-security-users] CRS v3.3.1 Release Candidate 1 available

From: Walter H. <mo...@sp...> - 2020-12-28 18:08:16

The OWASP ModSecurity Core Rule Set team is proud to announce the release candidate 1 for the upcoming CRS v3.3.1 release. The release candidate is available at:

https://github.com/coreruleset/coreruleset/archive/v3.3.1-rc1.tar.gz
https://github.com/coreruleset/coreruleset/archive/v3.3.1-rc1.zip

This is a maintenance release, containing the following changes:

- Run rules as early as possible, by decreasing phase:2 to phase:1 and phase:4 to phase:3 where the variables allow it (Ervin Hegedüs)
- Add early blocking mode (tx.blocking_early) to block at the end of phase:1 and phase:3 (Christian Folini)

There are no changes to attack detections, so this release is mostly a “drop-in” replacement for our former release 3.3.0. If you are already running v3.3.0, you can simply extract the files over your existing files.

The early blocking mode may improve performance, as it allows to block a request quickly before processing of rules in phase 2 takes place (however, most attack detections still take place in phase 2). To use this feature, enable the tx.blocking_early setting in crs-setup.conf. Please see the example configuration file for more details: https://github.com/coreruleset/coreruleset/blob/v3.3.1-rc1/crs-setup.conf.example#L320

Our desire is to see the Core Rule Set project used as a baseline security feature, effectively protecting from OWASP Top 10 risks with few side effects. As such we attempt to cut down on false positives as much as possible in the default install. This RC therefore offers an opportunity for individuals to provide feedback and to report any issue they face with this release. We will then try and fix them for the upcoming full release.

Please use the CRS GitHub (https://github.com/coreruleset/coreruleset), our slack channel (#coreruleset on owasp.slack.com), or the Core Rule Set mailing list to tell us about your experiences, including false positives or other issues with this release candidate.

We plan the release on Tuesday the 5th of January 2021.

We look forward to hearing your feedback!

Sincerely,
Walter Hop, release manager, on behalf of the Core Rule Set development team