Thread: Re: [mod-security-users] include snort rules
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Peter VE <xx...@im...> - 2005-11-16 10:00:56
|
> > > > Peter VE wrote: > > Hi, > > > > I wrote a script that pulls down multiple sets of snort rules, and > > converts specific rulefiles to SecFilters. > > You shouldn't have, there's a script included with ModSecurity > that does just that :) I'm using the ModSecurity script to convert, but it is launched from within my own script, which - downloads various sets of rules (snort, bleeding, community) - extracts the rules - only converts the rules that I need - rips out some rules that I don't want/need (after converting snort rules, I noticed that the converted file contains a couple of SecFilter "" and SecFilter "=" entries, which kinda break basic functionality... ) > > > > When I update the files with newer files, will mod_security > > automatically use the newer file ? Or does Apache need a restart ? > > You need to restart Apache. > Will Apache start when one of the mod_security SecFilters is wrong ? After all, this is an automated process - there is a chance that something is wrong with the original snort rules, or with converting those rules into filters... > > > If it automatically uses the newer file, what happens at the very > time > > the file gets overwritten? > > Nothing. When Apache is started rules are read in memory. What > you do with the file afterwards is not important. > Thanks ! > -- > Ivan Ristic > Apache Security (O'Reilly) - http://www.apachesecurity.net > Open source web application firewall - http://www.modsecurity.org > > > ------------------------------------------------------- > This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > Register for a JBoss Training Course. Free Certification Exam > for All Training Attendees Through End of 2005. For more info visit: > http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > |
|
From: Peter VE <xx...@im...> - 2005-11-16 10:13:46
|
> > > > I'm using the ModSecurity script to convert, but it is launched from > > within my own script, which > > - downloads various sets of rules (snort, bleeding, community) > > - extracts the rules > > - only converts the rules that I need > > - rips out some rules that I don't want/need > > (after converting snort rules, I noticed that the converted file > > contains a couple of SecFilter "" and SecFilter "=" entries, > > which kinda break basic functionality... ) > > Nice. How long have you been using the Snort rules for? Are you > happy with them for web intrusion detection? > snort rules for mod_security : 2 days this is the first webserver, so I really don't know how good/bad they are... Has anyone else played with the snort rules for - IDS (snort itself) - SecFilters (mod_security) ? If so, what are your findings ? > > >>>When I update the files with newer files, will mod_security > >>>automatically use the newer file ? Or does Apache need a restart ? > >> > >> You need to restart Apache. > >> > > > > Will Apache start when one of the mod_security SecFilters is wrong ? > > No. But you can preserve the previous version of the configuration > file, run Apache with "configtest" first, actually restarting only > if everything's fine. > great ! thanks > > -- > Ivan Ristic > Apache Security (O'Reilly) - http://www.apachesecurity.net > Open source web application firewall - http://www.modsecurity.org > > |
|
From: Ivan R. <iv...@we...> - 2005-11-16 10:56:32
|
Peter VE wrote: >>>I'm using the ModSecurity script to convert, but it is launched from >>>within my own script, which >>>- downloads various sets of rules (snort, bleeding, community) >>>- extracts the rules >>>- only converts the rules that I need >>>- rips out some rules that I don't want/need >>>(after converting snort rules, I noticed that the converted file >>>contains a couple of SecFilter "" and SecFilter "=" entries, >>>which kinda break basic functionality... ) >> >> Nice. How long have you been using the Snort rules for? Are you >> happy with them for web intrusion detection? >> > > snort rules for mod_security : 2 days > this is the first webserver, so I really don't know how good/bad they > are... > Has anyone else played with the snort rules for > - IDS (snort itself) > - SecFilters (mod_security) ? > If so, what are your findings ? I didn't use them in practice but, after looking at them, I thought they were too broad. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Ivan R. <iv...@we...> - 2005-11-16 10:05:00
|
Peter VE wrote: > > I'm using the ModSecurity script to convert, but it is launched from > within my own script, which > - downloads various sets of rules (snort, bleeding, community) > - extracts the rules > - only converts the rules that I need > - rips out some rules that I don't want/need > (after converting snort rules, I noticed that the converted file > contains a couple of SecFilter "" and SecFilter "=" entries, > which kinda break basic functionality... ) Nice. How long have you been using the Snort rules for? Are you happy with them for web intrusion detection? >>>When I update the files with newer files, will mod_security >>>automatically use the newer file ? Or does Apache need a restart ? >> >> You need to restart Apache. >> > > Will Apache start when one of the mod_security SecFilters is wrong ? No. But you can preserve the previous version of the configuration file, run Apache with "configtest" first, actually restarting only if everything's fine. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Javier Fernandez-S. <jfe...@ge...> - 2005-11-17 09:15:47
|
Peter VE wrote: > >> >> >>Peter VE wrote: >> >>>Hi, >>> >>>I wrote a script that pulls down multiple sets of snort rules, and >>>converts specific rulefiles to SecFilters. >> >> You shouldn't have, there's a script included with ModSecurity >> that does just that :) > > > I'm using the ModSecurity script to convert, but it is launched from > within my own script, which BTW, are you open to sharing that script so that Ivan can add it to the util/ directory? I provided a nessus2modsec script a while back [1] which is now available there [2] and I would encourage others to do the same. These scripts are valid tools and helps other get up to speed when using mod-security. Contributing them back also makes it possible for the community to maintain them. > - downloads various sets of rules (snort, bleeding, community) > - extracts the rules > - only converts the rules that I need > - rips out some rules that I don't want/need > (after converting snort rules, I noticed that the converted file > contains a couple of SecFilter "" and SecFilter "=" entries, > which kinda break basic functionality... ) This last comment (the SecFilter "" issue) looks to me like it is because you are using an older version of the script that does not skip Snort rules that do not apply to HTTP. I provided a patch [3] to snor2modsec that fixed that. Ivan applied that patch [4] (minus the documentation I added, but that is also available in the 'snortmodsec-rules.txt' file already). If you are not willing to share the code, ut would be nice if you could tell us: - which rules you don't think apply, and should not be converted - what rules that do apply get converted to problematic SecFilters Regards Javier [1] http://sourceforge.net/mailarchive/forum.php?thread_id=5857485&forum_id=33492 [2] http://cvs.sourceforge.net/viewcvs.py/mod-security/mod_security/util/nessus2modsec.pl?rev=1.1&view=markup [3] http://sourceforge.net/mailarchive/forum.php?thread_id=5857484&forum_id=33492 [4] http://cvs.sourceforge.net/viewcvs.py/mod-security/mod_security/util/snort2modsec.pl?r1=1.1&r2=1.2 > >> >>>When I update the files with newer files, will mod_security >>>automatically use the newer file ? Or does Apache need a restart ? >> >> You need to restart Apache. >> > > Will Apache start when one of the mod_security SecFilters is wrong ? > After all, this is an automated process - there is a chance that > something is wrong with the original snort rules, or with converting > those rules into filters... > >>>If it automatically uses the newer file, what happens at the very >> >>time >> >>>the file gets overwritten? >> >> Nothing. When Apache is started rules are read in memory. What >> you do with the file afterwards is not important. >> > > Thanks ! > > >>-- >>Ivan Ristic >>Apache Security (O'Reilly) - http://www.apachesecurity.net >>Open source web application firewall - http://www.modsecurity.org >> >> >>------------------------------------------------------- >>This SF.Net email is sponsored by the JBoss Inc. Get Certified Today >>Register for a JBoss Training Course. Free Certification Exam >>for All Training Attendees Through End of 2005. For more info visit: >>http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click >>_______________________________________________ >>mod-security-users mailing list >>mod...@li... >>https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >> > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > Register for a JBoss Training Course. Free Certification Exam > for All Training Attendees Through End of 2005. For more info visit: > http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
|
From: <xx...@im...> - 2005-11-17 09:35:45
|
Good idea - I'll make it more generic, and add some error handling; and I'll send it to Ivan P Javier Fernandez-Sanguino <jfe...@ge...> 17/11/2005 10:20 To Peter VE <xx...@im...> cc mod_security mailinglist <mod...@li...> Subject Re: [mod-security-users] include snort rules Peter VE wrote: > >> >> >>Peter VE wrote: >> >>>Hi, >>> >>>I wrote a script that pulls down multiple sets of snort rules, and >>>converts specific rulefiles to SecFilters. >> >> You shouldn't have, there's a script included with ModSecurity >> that does just that :) > > > I'm using the ModSecurity script to convert, but it is launched from > within my own script, which BTW, are you open to sharing that script so that Ivan can add it to the util/ directory? I provided a nessus2modsec script a while back [1] which is now available there [2] and I would encourage others to do the same. These scripts are valid tools and helps other get up to speed when using mod-security. Contributing them back also makes it possible for the community to maintain them. > - downloads various sets of rules (snort, bleeding, community) > - extracts the rules > - only converts the rules that I need > - rips out some rules that I don't want/need > (after converting snort rules, I noticed that the converted file > contains a couple of SecFilter "" and SecFilter "=" entries, > which kinda break basic functionality... ) This last comment (the SecFilter "" issue) looks to me like it is because you are using an older version of the script that does not skip Snort rules that do not apply to HTTP. I provided a patch [3] to snor2modsec that fixed that. Ivan applied that patch [4] (minus the documentation I added, but that is also available in the 'snortmodsec-rules.txt' file already). If you are not willing to share the code, ut would be nice if you could tell us: - which rules you don't think apply, and should not be converted - what rules that do apply get converted to problematic SecFilters Regards Javier [1] http://sourceforge.net/mailarchive/forum.php?thread_id=5857485&forum_id=33492 [2] http://cvs.sourceforge.net/viewcvs.py/mod-security/mod_security/util/nessus2modsec.pl?rev=1.1&view=markup [3] http://sourceforge.net/mailarchive/forum.php?thread_id=5857484&forum_id=33492 [4] http://cvs.sourceforge.net/viewcvs.py/mod-security/mod_security/util/snort2modsec.pl?r1=1.1&r2=1.2 > >> >>>When I update the files with newer files, will mod_security >>>automatically use the newer file ? Or does Apache need a restart ? >> >> You need to restart Apache. >> > > Will Apache start when one of the mod_security SecFilters is wrong ? > After all, this is an automated process - there is a chance that > something is wrong with the original snort rules, or with converting > those rules into filters... > >>>If it automatically uses the newer file, what happens at the very >> >>time >> >>>the file gets overwritten? >> >> Nothing. When Apache is started rules are read in memory. What >> you do with the file afterwards is not important. >> > > Thanks ! > > >>-- >>Ivan Ristic >>Apache Security (O'Reilly) - http://www.apachesecurity.net >>Open source web application firewall - http://www.modsecurity.org >> >> >>------------------------------------------------------- >>This SF.Net email is sponsored by the JBoss Inc. Get Certified Today >>Register for a JBoss Training Course. Free Certification Exam >>for All Training Attendees Through End of 2005. For more info visit: >>http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click >>_______________________________________________ >>mod-security-users mailing list >>mod...@li... >>https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >> > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by the JBoss Inc. Get Certified Today > Register for a JBoss Training Course. Free Certification Exam > for All Training Attendees Through End of 2005. For more info visit: > http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
Thanks for helping keep SourceForge clean.
X