mod-security-users Mailing List for ModSecurity (Page 542)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Ivan R. <iv...@we...> - 2006-01-27 17:58:25
|
PERA, Christophe wrote: > Hello, > > I try to implement the following rule but mod_sec doesn't match: > > SecFilterSelective REQUEST_URI "//" deny > > I don't understand because all other rules are well performed. > > Could you say me how to implement it? You can't, at least not yet. ModSecurity automatically compresses consecutive / characters into one - that's why yours does not match. FYI future releases are likely to allow you to configure exactly which normalisation methods to apply, and it will become possible to avoid the problem. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 |
|
From: PERA, C. <chr...@ai...> - 2006-01-27 17:27:32
|
Hello, I try to implement the following rule but mod_sec doesn't match: SecFilterSelective REQUEST_URI "//" deny I don't understand because all other rules are well performed. Could you say me how to implement it? Best regards, Christophe This e-mail is intended only for the above addressee. It may contain privileged information. If you are not the addressee you must not copy, distribute, disclose or use any of the information in it. If you have received it in error please delete it and immediately notify the sender. Security Notice: all e-mail, sent to or from this address, may be accessed by someone other than the recipient, for system management and security reasons. This access is controlled under Regulation of Investigatory Powers Act 2000, Lawful Business Practises. |
|
From: PERA, C. <chr...@ai...> - 2006-01-27 17:26:08
|
Hello, I try to implement the following rule but mod_sec doesn't match: SecFilterSelective REQUEST_URI "//" deny I don't understand because all other rules are well performed. Could you say me how to implement it? Best regards, Christophe This e-mail is intended only for the above addressee. It may contain privileged information. If you are not the addressee you must not copy, distribute, disclose or use any of the information in it. If you have received it in error please delete it and immediately notify the sender. Security Notice: all e-mail, sent to or from this address, may be accessed by someone other than the recipient, for system management and security reasons. This access is controlled under Regulation of Investigatory Powers Act 2000, Lawful Business Practises. |
|
From: Augie S. <aug...@gm...> - 2006-01-26 22:04:43
|
On 1/26/06, BassPlayer <bas...@an...> wrote: > I've done some google searches and checked the site and I didn't see any > sort of audit_log parser and report generator. Anyone have any scripts > already developed? When I looked a month or so ago I found the same void ; here are the few links I did find, but like I said it's not much: http://textsnippets.com/posts/show/9 http://orderamidchaos.com/modsec/modsec_auditlog_parser http://prwdot.org/code/modsecauditlogparse.txt Something like an awstats plugin would be the coolest. I bet it's on every SysAdmin's to-do list, but there are so many other pressing things. :) -- Registered Linux user #229905 GPG Public Key: http://www.schwer.us/schwer.asc Key fingerprint =3D 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072 |
|
From: BassPlayer <bas...@an...> - 2006-01-26 20:54:23
|
Hi, I've done some google searches and checked the site and I didn't see any sort of audit_log parser and report generator. Anyone have any scripts already developed? Thanks in advance BP |
|
From: Ivan R. <iv...@we...> - 2006-01-25 10:57:07
|
> I've straced the process, but can't find anything that can point me to the right > direction. Here is the output of my strace : You don't appear to have gcc installed. What does "which gcc" say when you execute it? -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 |
|
From: Andres B. <and...@ho...> - 2006-01-25 03:31:39
|
Chris Mazza <cjmazza <at> optonline.net> writes: > > Hello, > > I am trying to install mod_security an I am getting the following error: > > [root <at> web apache1]# /hsphere/shared/apache/bin/apxs -cia mod_security.c > gcc -DLINUX=22 -DHAVE_SET_DUMPABLE -I/usr/include/gdbm > -DDEV_RANDOM=/dev/random -DMOD_SSL=208125 -DUSE_HSREGEX -DEAPI -DEAPI_MM > -I/usr/kerberos/include -fpic -DSHARED_MODULE > -I/hsphere/shared/apache/include -c mod_security.c > gcc -shared -o mod_security.so mod_security.o > [activating module `security' in /hsphere/local/config/httpd/httpd.conf] > cp mod_security.so /hsphere/shared/apache/libexec/mod_security.so > cp: cannot stat `mod_security.so': No such file or directory > apxs:Break: Command failed with rc=1 > > My info is as follows: > > Linux web.hspherenet.com 2.4.21-37.ELsmp #1 SMP Wed Sep 28 14:05:46 EDT 2005 > i686 i686 i386 GNU/Linux > > [root <at> web bin]# ./httpd -V > Server version: Apache/1.3.34 (Unix) > Server built: Nov 4 2005 19:46:33 > Server's Module Magic Number: 19990320:18 > Server compiled with.... > -D EAPI > -D EAPI_MM > -D EAPI_MM_CORE_PATH="/hsphere/local/var/httpd/logs/httpd.mm" > -D HAVE_MMAP > -D HAVE_SHMGET > -D USE_SHMGET_SCOREBOARD > -D USE_MMAP_FILES > -D HAVE_FCNTL_SERIALIZED_ACCEPT > -D HAVE_SYSVSEM_SERIALIZED_ACCEPT > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D DYNAMIC_MODULE_LIMIT=64 > -D HARD_SERVER_LIMIT=1024 > -D HTTPD_ROOT="/hsphere/shared/apache" > -D SUEXEC_BIN="/hsphere/shared/apache/bin/suexec" > -D DEFAULT_PIDLOG="/hsphere/local/var/httpd/logs/httpd.pid" > -D DEFAULT_SCOREBOARD="/hsphere/local/var/httpd/logs/httpd.scoreboard" > -D DEFAULT_LOCKFILE="/hsphere/local/var/httpd/logs/httpd.lock" > -D DEFAULT_ERRORLOG="/hsphere/local/var/httpd/logs/error_log" > -D TYPES_CONFIG_FILE="/hsphere/local/config/httpd/mime.types" > -D SERVER_CONFIG_FILE="/hsphere/local/config/httpd/httpd.conf" > -D ACCESS_CONFIG_FILE="/hsphere/local/config/httpd/access.conf" > -D RESOURCE_CONFIG_FILE="/hsphere/local/config/httpd/srm.conf" > > [root <at> web bin]# ./httpd -l > Compiled-in modules: > http_core.c > mod_vhost_alias.c > mod_env.c > mod_define.c > mod_log_config.c > mod_mime_magic.c > mod_mime.c > mod_negotiation.c > mod_status.c > mod_info.c > mod_include.c > mod_autoindex.c > mod_dir.c > mod_cgi.c > mod_asis.c > mod_imap.c > mod_actions.c > mod_speling.c > mod_userdir.c > mod_alias.c > mod_rewrite.c > mod_access.c > mod_auth.c > mod_auth_anon.c > mod_auth_dbm.c > mod_digest.c > mod_proxy.c > mod_cern_meta.c > mod_expires.c > mod_headers.c > mod_usertrack.c > mod_log_forensic.c > mod_unique_id.c > mod_so.c > mod_setenvif.c > mod_ssl.c > mod_frontpage.c > suexec: enabled; valid wrapper /hsphere/shared/apache/bin/suexec > > Using current Stable release of mod_security. This is for a web server and I > cant figure out what is causing the install to fail. > Any advice is greatly appreciated. > > Thanks, > Chris > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click > Chris, I have a similar situation, but the weird part is that I was able to do it b4 with version 1.8.6. I have not changed my apache version and I am getting the following: gcc -DLINUX=22 -I/usr/include/gdbm -DMOD_SSL=208116 -DEAPI -O2 -march=i386 -mcpu=i686 -fpic -DSHARED_MODULE -I/usr/include/apache -c mod_security.c apxs:Break: Command failed with rc=16777215 I had the 1.8.6 module configured, but when I decided to upgrade it to the latest stable version (1.9.2) that is what I got. I've straced the process, but can't find anything that can point me to the right direction. Here is the output of my strace : e/apache", "-c", "mod_security.c"], [/* 23 vars */] <unfinished ...> [pid 11676] <... rt_sigaction resumed> {SIG_DFL}, 8) = 0 [pid 11678] <... execve resumed> ) = -1 ENOENT (No such file or directory) [pid 11676] wait4(11678, <unfinished ...> [pid 11678] execve("/usr/lib/courier-imap/bin/gcc", ["gcc", "-DLINUX=22", "-I/usr/include/gdbm", "-DMOD_SSL=208116", "-DEAPI", "-O2", "-march=i386", "-mcpu=i686", "-fpic", "-DSHARED_MODULE", "-I/usr/include/apache", "-c", "mod_security.c"], [/* 23 vars */]) = -1 ENOENT (No such file or directory) [pid 11678] execve("/usr/local/sbin/gcc", ["gcc", "-DLINUX=22", "-I/usr/include/gdbm", "-DMOD_SSL=208116", "-DEAPI", "-O2", "-march=i386", "-mcpu=i686", "-fpic", "-DSHARED_MODULE", "-I/usr/include/apache", "-c", "mod_security.c"], [/* 23 vars */]) = -1 ENOENT (No such file or directory) [pid 11678] execve("/usr/local/bin/gcc", ["gcc", "-DLINUX=22", "-I/usr/include/gdbm", "-DMOD_SSL=208116", "-DEAPI", "-O2", "-march=i386", "-mcpu=i686", "-fpic", "-DSHARED_MODULE", "-I/usr/include/apache", "-c", "mod_security.c"], [/* 23 vars */]) = -1 ENOENT (No such file or directory) [pid 11678] execve("/sbin/gcc", ["gcc", "-DLINUX=22", "-I/usr/include/gdbm", "-DMOD_SSL=208116", "-DEAPI", "-O2", "-march=i386", "-mcpu=i686", "-fpic", "-DSHARED_MODULE", "-I/usr/include/apache", "-c", "mod_security.c"], [/* 23 vars */]) = -1 ENOENT (No such file or directory) [pid 11678] execve("/bin/gcc", ["gcc", "-DLINUX=22", "-I/usr/include/gdbm", "-DMOD_SSL=208116", "-DEAPI", "-O2", "-march=i386", "-mcpu=i686", "-fpic", "-DSHARED_MODULE", "-I/usr/include/apache", "-c", "mod_security.c"], [/* 23 vars */]) = -1 ENOENT (No such file or directory) [pid 11678] execve("/usr/sbin/gcc", ["gcc", "-DLINUX=22", "-I/usr/include/gdbm", "-DMOD_SSL=208116", "-DEAPI", "-O2", "-march=i386", "-mcpu=i686", "-fpic", "-DSHARED_MODULE", "-I/usr/include/apache", "-c", "mod_security.c"], [/* 23 vars */]) = -1 ENOENT (No such file or directory) [pid 11678] execve("/usr/bin/gcc", ["gcc", "-DLINUX=22", "-I/usr/include/gdbm", "-DMOD_SSL=208116", "-DEAPI", "-O2", "-march=i386", "-mcpu=i686", "-fpic", "-DSHARED_MODULE", "-I/usr/include/apache", "-c", "mod_security.c"], [/* 23 vars */]) = -1 EACCES (Permission denied) [pid 11678] execve("/usr/X11R6/bin/gcc", ["gcc", "-DLINUX=22", "-I/usr/include/gdbm", "-DMOD_SSL=208116", "-DEAPI", "-O2", "-march=i386", "-mcpu=i686", "-fpic", "-DSHARED_MODULE", "-I/usr/include/apache", "-c", "mod_security.c"], [/* 23 vars */]) = -1 ENOENT (No such file or directory) [pid 11678] write(5, "\r\0\0\0", 4) = 4 [pid 11678] close(5) = 0 [pid 11678] _exit(-1) = ? <... wait4 resumed> [WIFEXITED(s) && WEXITSTATUS(s) == 255], 0, NULL) = 11678 --- SIGCHLD (Child exited) --- rt_sigaction(SIGINT, {SIG_DFL}, NULL, 8) = 0 rt_sigaction(SIGQUIT, {SIG_DFL}, NULL, 8) = 0 read(4, "\r\0\0\0", 4) = 4 close(4) = 0 write(2, "apxs:Break: Command failed with "..., 44apxs:Break: Command failed with rc=16777215 ) = 44 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 _exit(1) Any ideas? |
|
From: Ivan R. <iv...@we...> - 2006-01-19 10:34:03
|
Diego Pellegrino wrote: > Hi. I would like to know if it's possible to change a specific chracter > from a request fowarded by mod_security from the user browser to the web > server No, it's not. ModSecurity does not change content, it only observes the traffic. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 |
|
From: Ivan R. <iv...@we...> - 2006-01-19 10:31:43
|
Terry Dooher wrote: > > One question arises: If audit logging is already on, is it possible to > override the existing SecAuditLog directive for specific Locations? Yes, it is. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 |
|
From: Terry D. <tdo...@na...> - 2006-01-19 10:22:24
|
M.Saeed Shaikh wrote: > Hi, > > Someone is spamming from our mail server. Is there any way to create > sendmail commands log file. So at least I can see who is using > sendmail command. I think its usie php/FormMail script for send mail. > However i alreay implement FormMail rule. > > I just want to create log file whenever sendmail command use. A simple (but blunt) way to do this would be to replace /bin/sendmail (or wherever it is) with a small script that logs whatever you want to log from the environment and the command input before passing them on to the real sendmail. This may create too much of an overhead on a busy system however. In mod_security, you could set up a Location directive for the suspect script, which it seems you know, and add in some audit logging rules: <Location /path/to/formail.php> SecAuditEngine On SecAuditLog path_to_formail_audit_log </Location> If you have an idea about how the script is being exploited, add in a filter match and set SecAuditEngine to RelevantOnly, otherwise you'll be logging every single request. See the Audit Logging section of the manual. One question arises: If audit logging is already on, is it possible to override the existing SecAuditLog directive for specific Locations? Terry. > Thanx. > |
|
From: Diego P. <die...@ho...> - 2006-01-18 20:56:00
|
<html><div style='background-color:'><P align=left>Hi. I would like to know if it's possible to change a specific chracter from a request fowarded by mod_security from the user browser to the web server</P> <P align=left>for example:</P> <P align=left>if the parameter 'name' contains the characters '<' and '>'</P> <P align=left>name=Diego <duff> Pellegrino</P> <P align=left>the translated parameter should be</P> <P align=left>name=Diego [duff] Pellegrino</P> <P align=left>Thanks.<BR></P></div></html> |
|
From: Ivan R. <iv...@we...> - 2006-01-18 11:29:42
|
Michael Fleming wrote: > Ivan Ristic writes: > >> >> ModSecurity 1.9.2 has been released. It is available for >> immediate download from: >> >> http://www.modsecurity.org/download/ >> > > For users of Fedora Core (3,4 and rawhide, which will soon be FC5) I > have updated the FC Extras RPM (mod_security) to this version. It should > be pushed out to the FE mirrors in the next day or so (whenever their > build system pushes newly built packages..) Is there a page I could link to from modsecurity.org? Is this it: http://fedoraproject.org/wiki/Extras ? Thanks! -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 |
|
From: Ivan R. <iv...@we...> - 2006-01-18 11:26:27
|
Alberto Gonzalez Iniesta wrote: > On Tue, Jan 17, 2006 at 04:03:03PM +0000, Ivan Ristic wrote: >> ModSecurity 1.9.2 has been released. It is available for >> immediate download from: >> >> http://www.modsecurity.org/download/ >> >> ModSecurity 1.9.2 is primarily a bug-fix release, but it >> includes a few interesting new features. >> > > Due to incompatibility issues with the GPL and the Apache license, > ModSecurity packages will be removed from the official Debian archive > soon. I'll continue to maintain those packages on my site. 1.9.2-pre3 are > already there, 1.9.2 will be real soon. You may add this line to > /etc/apt/sources.list to install them via apt: > > deb http://etc.inittab.org/~agi/debian/libapache-mod-security ./ I'll upload this information to modsecurity.org when the binaries for 1.9.2 appear. Thanks! -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 |
|
From: Alberto G. I. <ag...@in...> - 2006-01-18 09:09:10
|
On Tue, Jan 17, 2006 at 04:03:03PM +0000, Ivan Ristic wrote: >=20 > ModSecurity 1.9.2 has been released. It is available for > immediate download from: >=20 > http://www.modsecurity.org/download/ >=20 > ModSecurity 1.9.2 is primarily a bug-fix release, but it > includes a few interesting new features. >=20 Due to incompatibility issues with the GPL and the Apache license, ModSecurity packages will be removed from the official Debian archive soon. I'll continue to maintain those packages on my site. 1.9.2-pre3 are already there, 1.9.2 will be real soon. You may add this line to /etc/apt/sources.list to install them via apt: deb http://etc.inittab.org/~agi/debian/libapache-mod-security ./ --=20 Alberto Gonzalez Iniesta | Formaci=F3n, consultor=EDa y soporte t=E9cn= ico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint =3D 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 |
|
From: Michael F. <mfl...@en...> - 2006-01-18 04:48:41
|
Ivan Ristic writes: > > ModSecurity 1.9.2 has been released. It is available for > immediate download from: > > http://www.modsecurity.org/download/ > For users of Fedora Core (3,4 and rawhide, which will soon be FC5) I have updated the FC Extras RPM (mod_security) to this version. It should be pushed out to the FE mirrors in the next day or so (whenever their build system pushes newly built packages..) Cheers, Michael Fleming (modsecurity package maintainer for Fedora Extras) |
|
From: Steffen <in...@ap...> - 2006-01-17 17:09:38
|
The windows binary is available for Apache 2.2.0 and 2.0.55 at http://www.apachelounge.com . Steffen ----- Original Message ----- From: "Ivan Ristic" <iv...@we...> To: <mod...@li...> Cc: <mod...@li...> Sent: Tuesday, January 17, 2006 5:03 PM Subject: [mod-security-users] ModSecurity 1.9.2 has been released > > ModSecurity 1.9.2 has been released. It is available for > immediate download from: > > http://www.modsecurity.org/download/ > > ModSecurity 1.9.2 is primarily a bug-fix release, but it > includes a few interesting new features. > > ModSecurity can now be compiled against PCRE regex library > (Apache 1.3.x only, Apache 2.x already uses PCRE), resulting > in large performance increase. It is also possible to compile > ModSecurity not to use suEXEC for process creation. Some > concurrent audit logging improvements. New proof-of-concept > script for real-time audit log centralisation. Many smaller > bug fixes and improvements throughout. > > > About ModSecurity > ----------------- > ModSecurity is a web application firewall designed to protect > vulnerable applications and reject manual and automated attacks. > It is an open source intrusion detection and prevention system. It > can work embedded in Apache, or as a standalone security device when > configured to work as part of an Apache-based reverse proxy. > > Optionally, ModSecurity creates application audit logs, which contain > the full request body in addition to all other details. Requests are > filtered using regular expressions. Some of the things possible are: > > * Apply filters against any part of the request (URI, > headers, either GET or POST) > * Apply filters against individual parameters > * Reject SQL injection attacks > * Reject Cross site scripting attacks > * Store the files uploaded through the web server, and have them > checked by external scripts > > With a few general rules ModSecurity can protect from both known > and unknown vulnerabilities. It excels as a tool for HTTP traffic > monitoring and just-in-time patching. > > ModSecurity is dual-licensed. It can be used at no cost under the > terms of GPL v2. Support and commercial licences (for end-users > and OEM distributors) can be obtained from Thinking Stone > (http://www.thinkingstone.com). > > -- > Ivan Ristic, Technical Director > Thinking Stone, http://www.thinkingstone.com > Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
|
From: Ivan R. <iv...@we...> - 2006-01-17 16:03:39
|
ModSecurity 1.9.2 has been released. It is available for
immediate download from:
http://www.modsecurity.org/download/
ModSecurity 1.9.2 is primarily a bug-fix release, but it
includes a few interesting new features.
ModSecurity can now be compiled against PCRE regex library
(Apache 1.3.x only, Apache 2.x already uses PCRE), resulting
in large performance increase. It is also possible to compile
ModSecurity not to use suEXEC for process creation. Some
concurrent audit logging improvements. New proof-of-concept
script for real-time audit log centralisation. Many smaller
bug fixes and improvements throughout.
About ModSecurity
-----------------
ModSecurity is a web application firewall designed to protect
vulnerable applications and reject manual and automated attacks.
It is an open source intrusion detection and prevention system. It
can work embedded in Apache, or as a standalone security device when
configured to work as part of an Apache-based reverse proxy.
Optionally, ModSecurity creates application audit logs, which contain
the full request body in addition to all other details. Requests are
filtered using regular expressions. Some of the things possible are:
* Apply filters against any part of the request (URI,
headers, either GET or POST)
* Apply filters against individual parameters
* Reject SQL injection attacks
* Reject Cross site scripting attacks
* Store the files uploaded through the web server, and have them
checked by external scripts
With a few general rules ModSecurity can protect from both known
and unknown vulnerabilities. It excels as a tool for HTTP traffic
monitoring and just-in-time patching.
ModSecurity is dual-licensed. It can be used at no cost under the
terms of GPL v2. Support and commercial licences (for end-users
and OEM distributors) can be obtained from Thinking Stone
(http://www.thinkingstone.com).
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934
|
|
From: Ivan R. <iv...@we...> - 2006-01-17 11:31:06
|
Tom Anderson wrote:
> Ivan Ristic wrote:
>>> I think it would be extremely useful to be able to modify request
>>> content in this way rather than just flagging it.
>>
>>
>> Perhaps, give me one real-life example where you would use it?
>>
> The present example of trying to prevent HTML injection in posts where
> user input is going to be displayed on a webpage, possibly by software
> that doesn't do proper sanitizing of its own. Doing little-constrained
> wildcard matching like "<.+?>" is a recipe for potentially huge
> performance hits, plus it wholesale rejects user input that should
> otherwise be acceptable in an escaped format.
There are two problems with data sanitisation if it is going
to be performed on a web application firewall level:
1. Transforming data from one format to another is not an operation
that should be performed in this layer. Ideally, the application
should be in possession of raw data and only transform it when
the data needs to cross a system boundary. For example, move
from the application into the database. If you choose to transform
data sitting on the outside you can perform only one transformation,
which only works when there is one system boundary.
2. In a general case, the only way to really know how the data
should be sanitised is to completely understand the application.
You'd have to know where the data is flowing and how many
system boundaries it is crossing. The current state of software
development is that we are having hard time getting the average
programmer to understand what they are doing ;) Web application
firewalls are managed by system administrators and security
people - I don't think it is realistic to expect them to
be able to understand applications on a sufficient level.
> Doing something like the last two should not be all that difficult, as
> simple generic escape functions can be written and simply applied to the
> argument listed. Just implementing SecFilterEscapeHTML ARG_BLOGPOST to
> replace SecFilterSelective ARG_BLOGPOST "<.+>" would both prevent lots
> of false positives (valid HTML discussions, etc) and measurably improve
> performance on moderately busy discussion forum or blog sites. This is
> real security, not just a perception... replacing key symbols with their
> HTML escape codes can annihilate HTML injection, XSS, and scripting
> attacks with little overhead.
Not in a general case. Depending on the application the "<" and ">"
characters may not be necessary to perform an XSS attack. This happens
for example, if the entry point for the intrusion is inside a tag
already, or inside JavaScript code.
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934
|
|
From: Achim H. <ki...@se...> - 2006-01-14 20:26:44
|
On Fri, 13 Jan 2006, Tom Anderson wrote:
!! mod_security shouldn't have this functionality, especially since it's
!! needed and useful in some circumstances, but users should understand
!! that it's not necessarily the best place to do it.
that's the point.
IMHO you give users and programmers a wrong feeling of security if they
read somewhere that for example "mod_security can do input sanitation".
But that's another discussion, let Ivan deside how to go from here ..
!! > OK, here we go, why you should not use something like s/</</
!! >
!! > assume you have an URL with following QUERY_STRING:
!! > cmd=ls
!! > where someone uses (for fun or whatever:)
!! > cmd=ls<i>/sbin/shutdown
!! > which might be "sanitized" to:
!! > cmd=ls<i>/sbin/shutdown
!!
!! Well, I wouldn't run that on the QUERY_STRING, I'd run it on a
!! particular argument which is going to be posted as HTML to a webpage and
!! not used in other contexts. Also, if you're allowing users to enter
!! commands directly on the QUERY_STRING, you've got bigger problems!
This example is not restricted to GET, could be POST too, and it could
be expanded to be a combination of more than one parameter, and, and, and ...
My intention was just to show in a short example what's wrong with such
sanitations. Could have used a SQL injection example too. It's an example,
nothing more, nothing less.
{-: Achim
|
|
From: Tom A. <tan...@oa...> - 2006-01-13 21:35:07
|
Achim Hoffmann wrote: > I totally agree with Ivan: don't try to sanitize data at such a central place I would tend to agree that sanitizing input should be done in the applicaiton itself. However, the main advantage of mod_security is that it is a central place to define security rules, and it runs before anything gets to the application layer which may be written by third parties and contain holes. In programs that I write, I do proper sanitizing before using any data, but if I'm using a standard package, I try to intercept problems before they get there. There's no reason that mod_security shouldn't have this functionality, especially since it's needed and useful in some circumstances, but users should understand that it's not necessarily the best place to do it. > OK, here we go, why you should not use something like s/</</ > > assume you have an URL with following QUERY_STRING: > cmd=ls > where someone uses (for fun or whatever:) > cmd=ls<i>/sbin/shutdown > which might be "sanitized" to: > cmd=ls<i>/sbin/shutdown Well, I wouldn't run that on the QUERY_STRING, I'd run it on a particular argument which is going to be posted as HTML to a webpage and not used in other contexts. Also, if you're allowing users to enter commands directly on the QUERY_STRING, you've got bigger problems! Tom |
|
From: Achim H. <ki...@se...> - 2006-01-13 21:23:35
|
On Fri, 13 Jan 2006, Ivan Ristic wrote:
!! Tom Anderson wrote:
!! >
!! > ...
!! >
!! > Is this something
!! > that could be added in future versions?
!!
!! I have been thinking about that but there's a lot of work involved
!! and I just don't see the benefit. Personally, I don't believe
!! in sanitisation. It's too easy to do it wrong, and if you do you
!! get to feel secure where, in fact, you still have a hole in your
!! defences.
!!
!! I am open to discussion, though.
I totally agree with Ivan: don't try to sanitize data at such a central place
!! > I think it would be extremely useful to be able to modify request
!! > content in this way rather than just flagging it.
!!
!! Perhaps, give me one real-life example where you would use it?
!!
OK, here we go, why you should not use something like s/</</
assume you have an URL with following QUERY_STRING:
cmd=ls
where someone uses (for fun or whatever:)
cmd=ls<i>/sbin/shutdown
which might be "sanitized" to:
cmd=ls<i>/sbin/shutdown
Hopefully the web server's application performing this request is not
running as user root, do you know ... ?
{-: Achim
|
|
From: Tom A. <tan...@oa...> - 2006-01-13 15:00:34
|
Ivan Ristic wrote: >>I think it would be extremely useful to be able to modify request >>content in this way rather than just flagging it. > > > Perhaps, give me one real-life example where you would use it? > The present example of trying to prevent HTML injection in posts where user input is going to be displayed on a webpage, possibly by software that doesn't do proper sanitizing of its own. Doing little-constrained wildcard matching like "<.+?>" is a recipe for potentially huge performance hits, plus it wholesale rejects user input that should otherwise be acceptable in an escaped format. This would be true for SQL injection filters as well, and anywhere else that strings are blocked simply for containing dubious characters when they would be known OK if those characters could be escaped. Sanitizing functionality is like a bouncer at a club who checks IDs and stamps people's hands if they're over 21 so that they can order alcohol, and not reject from the club entirely those under 21. Likewise, you might not want to prevent people from having discussions _about_ HTML or SQL or other topics which might just contain strings that would trigger a filter block. Allow them to post their comments, but remove the attack potential by escaping those characters which would allow the strings to do damage under the wrong circumstances. Formats such as these might be ideal: SecFilterSelective ARG_BLOGPOST s/>/>/ SecFilterExternal ARG_BLOGPOST "html_escape.pl" SecFilterEscapeHTML ARG_BLOGPOST SecFilterEscapeSQL ARG_SEARCHSTRING Doing something like the last two should not be all that difficult, as simple generic escape functions can be written and simply applied to the argument listed. Just implementing SecFilterEscapeHTML ARG_BLOGPOST to replace SecFilterSelective ARG_BLOGPOST "<.+>" would both prevent lots of false positives (valid HTML discussions, etc) and measurably improve performance on moderately busy discussion forum or blog sites. This is real security, not just a perception... replacing key symbols with their HTML escape codes can annihilate HTML injection, XSS, and scripting attacks with little overhead. Tom |
|
From: Ivan R. <iv...@we...> - 2006-01-13 12:59:31
|
Tom Anderson wrote: > > ... > > I'm not sure if you can use mod_security > to do this, but maybe you can try something like: > > SecFilterSelective THE_REQUEST "vulnerable-script-name" chain > SecFilterSelective ARG_SANITIZEME "(<|>)" "exec:html_escape.pl" > > But I don't think the exec'd script gets passed the info or inserts > anything back into the string. Ideally "html_escape.pl" would be passed > the "ARG_SANITIZEME" content on STDIN and then mod_security would > replace "ARG_SANITIZEME" with the output of "html_escape.pl". That > would be a true external filter, similar to how procmail works. Ivan, > correct me if I'm wrong in saying that you can't do using mod_security > what I'm suggesting would be the right technique. Actually, ideally you > could do this: > > SecFilterSelective THE_REQUEST "vulnerable-script-name" chain > SecFilterSelective ARG_SANITIZEME s/</</ > SecFilterSelective ARG_SANITIZEME s/>/>/ > > But that too wouldn't work in mod_security I believe. That's correct. It is not possible to change request data using ModSecurity, at least not at the moment. > Is this something > that could be added in future versions? I have been thinking about that but there's a lot of work involved and I just don't see the benefit. Personally, I don't believe in sanitisation. It's too easy to do it wrong, and if you do you get to feel secure where, in fact, you still have a hole in your defences. I am open to discussion, though. > I think it would be extremely useful to be able to modify request > content in this way rather than just flagging it. Perhaps, give me one real-life example where you would use it? -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 |
|
From: Ivan R. <iv...@we...> - 2006-01-13 12:48:38
|
Ivan Ristic wrote: > Servedio, Allen (Matrix) wrote: >> Just getting ready to... I am working with Ivan on it now. > > We didn't get to run truss (Allen did not have root on > the box) but we narrowed it down pretty much to a problem > in the Apache 1.3.x regular expression library. For those who remember a similar thread from December (increased CPU consumption when mod_security is used), we asked Kwong Li to remove the one rule in his configuration that used subexpressions. He has just reported that he has not experienced high load problems since. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 |
|
From: Ivan R. <iv...@we...> - 2006-01-13 10:45:23
|
Jernej Zajc wrote: > Hello, > > this is what I get: > > [root@box:httpd-2.0.55]# make > Making all in srclib > > ... > > make[1]: Entering directory `/root/httpd-2.0.55/srclib' > Making all in apr > make[2]: Entering directory `/root/httpd-2.0.55/srclib/apr' > Making all in strings > make[3]: Entering directory `/root/httpd-2.0.55/srclib/apr/strings' > make[4]: Entering directory `/root/httpd-2.0.55/srclib/apr/strings' > /bin/bash /root/httpd-2.0.55/srclib/apr/libtool --silent --mode=compile gcc -g -O2 -DHAVE_CONFIG_H -DSOLARIS2=10 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -I../include -I../include/arch/unix -c apr_cpystrn.c && touch apr_cpystrn.lo > In file included from /usr/include/sys/wait.h:24, > from ../include/apr.h:131, > from apr_cpystrn.c:17: > /usr/include/sys/siginfo.h:259: error: parse error before "ctid_t" > > ... > > Any pointers would be appreciated. Hi, I don't think you are having problems with ModSecurity. Those errors are coming from APR, which part of Apache. Now, why that happens - I am afraid I don't know. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 |
139 messages has been excluded from this view by a project administrator.
