Thread: [mod-security-users] Release of remo 0.1.3
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Christian F. <chr...@ti...> - 2007-03-14 16:40:55
|
Hello, Remo 0.1.3 alpha has been released. See the website at http://remo.netnea.com. Remo stands for "Rule Editor for ModSecurity". It's a project, attempting to - bring easier configuration to ModSecurity - make a whitelist/positive security model feasible for ModSecurity deployments This new release brings the following new features: - Support for query string arguments - Support for cookies - Every request parameter can be optional or mandatory Those who have seen the cool rule webcast by Ryan Barnett, have seen an info graphic explaining the way remo is translating your parameter definition into a ModSecurity rule. You can find this graphic at http://remo.netnea.com/twiki/bin/view/Documentation/WebHome With this release, remo brings the basic functionality to write a whitelist ruleset for an online application. I did a successful test with drupal, which comes with 250 different post parameters. It has been painful and took me almost two days to enter all these arguments into remo and qualify them with a regular expression. Then I generated the ruleset and got a fairly nailed down drupal installation. More work would be needed to tune the regular expressions on the given fields in order to make this useable in practice. But for a start, I have been quite pleased. As previously, the new release can be found on the demo site at: http://remo.netnea.com/demo/main/index You can get your feet wet there without the need to install remo. best regards, Christian Folini -- chr...@ne... - http://www.netnea.com ModSecurity and mod_security are trademarks of Breach Security, Inc. netnea.com is not affiliated with Breach Security, Inc. |
|
From: Ivan R. <iva...@gm...> - 2007-03-15 13:19:45
|
On 3/14/07, Christian Folini <chr...@ti...> wrote: > Hello, > > Remo 0.1.3 alpha has been released. > See the website at http://remo.netnea.com. > > ... > > I did > a successful test with drupal, which comes with 250 > different post parameters. It has been painful and took > me almost two days to enter all these arguments into remo > and qualify them with a regular expression. Then I generated > the ruleset and got a fairly nailed down drupal installation. > More work would be needed to tune the regular expressions > on the given fields in order to make this useable in > practice. But for a start, I have been quite pleased. Have you consider automating the process, for example creation of the rule set using the recorded traffic (audit logs)? > > As previously, the new release can be found on the demo site > at: http://remo.netnea.com/demo/main/index > You can get your feet wet there without the need to install > remo. > > best regards, > > Christian Folini > > -- > chr...@ne... - http://www.netnea.com > ModSecurity and mod_security are trademarks of Breach Security, Inc. > netnea.com is not affiliated with Breach Security, Inc. > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > -- Ivan Ristic |
|
From: Christian F. <chr...@ti...> - 2007-03-15 13:55:58
|
On Thu, Mar 15, 2007 at 01:19:37PM +0000, Ivan Ristic wrote:
> >practice. But for a start, I have been quite pleased.
>
> Have you consider automating the process, for example creation of the
> rule set using the recorded traffic (audit logs)?
I have laid out the next development targets as follows:
* Add default parameter value domain.
This means you do not longer need to define an individual regular
expression for every parameter yourself (like \d{0,5}, or [\w\d]{0,16}).
Instead you just select "short integer" or "mid-size string (no spaces)" etc.
This will simplify the rule writing.
* Import mode allowing to use access-logs or audit-logs as a base for rule writing.
Common and combined access logs lack headers, cookies and post parameters of course.
* Going Beta.
After this phase, I plan to return to the import mode and develop a proxy
mode / learning mode. Possibly also taking advantage of ModSecurity and mod_spread.
The idea is to recieve a request into remo in the very moment it is executed.
This is what the wide white area on the left of the gui is good for.
(-> http://remo.netnea.com/images/remo-screenshot-20070221-svn138.png)
During the import, the new request will be compared to the ruleset in the
works. If it is covered by the whitelist ruleset, it would get a green color.
A red color in the opposite case. Next step is to take the red request and
drag it over to the rule area (on the right side in the gui), where it is
interpreted as a new request and filled with reasonable (?) default values
based on the request as seen in the import/sniffer mode.
Well, the development is not quite there yet, but that is the path I plan to take.
I have one or two feature requests for Mod. Should I post them to the
list or to you in a private message?
regs,
Christian
--
Everyone is a prisoner of his own experiences.
No one can eliminate prejudices - just recognize them.
--- Edward R. Murrow
|
){kind=link}
|
From: Ivan R. <iva...@gm...> - 2007-03-15 14:10:03
|
On 3/15/07, Christian Folini <chr...@ti...> wrote:
> On Thu, Mar 15, 2007 at 01:19:37PM +0000, Ivan Ristic wrote:
> > >practice. But for a start, I have been quite pleased.
> >
> > Have you consider automating the process, for example creation of the
> > rule set using the recorded traffic (audit logs)?
>
> I have laid out the next development targets as follows:
> * Add default parameter value domain.
> This means you do not longer need to define an individual regular
> expression for every parameter yourself (like \d{0,5}, or [\w\d]{0,16}).
> Instead you just select "short integer" or "mid-size string (no spaces)" etc.
> This will simplify the rule writing.
> * Import mode allowing to use access-logs or audit-logs as a base for rule writing.
> Common and combined access logs lack headers, cookies and post parameters of course.
> * Going Beta.
>
> After this phase, I plan to return to the import mode and develop a proxy
> mode / learning mode. Possibly also taking advantage of ModSecurity and mod_spread.
>
> The idea is to recieve a request into remo in the very moment it is executed.
FYI future versions of ModSecurity will probably include the piece we
are now using to transport audit log entries from sensors into the
central management console. To receive audit alerts you only need a
web server that can process PUT requests.
> This is what the wide white area on the left of the gui is good for.
> (-> http://remo.netnea.com/images/remo-screenshot-20070221-svn138.png)
> During the import, the new request will be compared to the ruleset in the
> works. If it is covered by the whitelist ruleset, it would get a green color.
> A red color in the opposite case. Next step is to take the red request and
> drag it over to the rule area (on the right side in the gui), where it is
> interpreted as a new request and filled with reasonable (?) default values
> based on the request as seen in the import/sniffer mode.
>
> Well, the development is not quite there yet, but that is the path I plan to take.
Sounds good.
> I have one or two feature requests for Mod. Should I post them to the
> list or to you in a private message?
The list please.
>
> regs,
>
> Christian
>
> --
> Everyone is a prisoner of his own experiences.
> No one can eliminate prejudices - just recognize them.
> --- Edward R. Murrow
>
--
Ivan Ristic
|
|
From: Christian F. <chr...@ti...> - 2007-03-19 17:16:59
|
On Thu, Mar 15, 2007 at 02:09:55PM +0000, Ivan Ristic wrote:
> >I have one or two feature requests for Mod. Should I post them to the
> >list or to you in a private message?
>
> The list please.
So here we go. I have two feature requests.
- Seperate collections for query string parameters and post payload
arguments.
ARGS is a handy collection, but for a whitelist policy, I want to be
exact and right now I have to do a special hack with every post
parameter to make sure it is not submitted as query string argument
(and vice-versa). Seperate collections simplify my rulesets.
- Regex ranges in selection operator
While ARGS:/^uid_\d$/ works as selector ARGS:/^uid_\d{1,5}$/ does not.
In fact I get the following during restart.
Error creating rule: Unknown variable: 5}$/
(ModSecurity 2.1.0)
It would be very cool if this would syntax would work.
Otherwise, after two months of remo, I am very much pleased with the
possibilities of the ModSecurity rules language.
regards,
Christian
--
chr...@ne... - http://www.netnea.com
|
|
From: Ofer S. <Of...@Br...> - 2007-03-20 22:24:13
|
Regarding the 2nd request, I think that you only need to add quotes:
"ARGS:'/^uid_\d{1,5}$/'"=20
I did not test this specifically today, but in a blog entry back in
December=20
I used a similar construct and worked fine:
SecRule "&REQUEST_HEADERS:'/^(?i)x[-_]a{9,12}$/'" "@gt 0"
I don't know if you need the double quotes also or only the single
quotes.
See:
http://www.modsecurity.org/blog/archives/2006/12/using_modsecuri.html
~ Ofer
> -----Original Message-----
> From: mod...@li... [mailto:mod-
> sec...@li...] On Behalf Of Christian
> Folini
> Sent: Monday, March 19, 2007 7:16 PM
> To: Ivan Ristic
> Cc: mod...@li...
> Subject: [mod-security-users] Feature Requests (was: Re: Release of
> remo0.1.3)
>=20
> On Thu, Mar 15, 2007 at 02:09:55PM +0000, Ivan Ristic wrote:
> > >I have one or two feature requests for Mod. Should I post them to
> the
> > >list or to you in a private message?
> >
> > The list please.
>=20
> So here we go. I have two feature requests.
>=20
> - Seperate collections for query string parameters and post payload
> arguments.
> ARGS is a handy collection, but for a whitelist policy, I want to be
> exact and right now I have to do a special hack with every post
> parameter to make sure it is not submitted as query string argument
> (and vice-versa). Seperate collections simplify my rulesets.
> - Regex ranges in selection operator
> While ARGS:/^uid_\d$/ works as selector ARGS:/^uid_\d{1,5}$/ does
> not.
> In fact I get the following during restart.
> Error creating rule: Unknown variable: 5}$/
> (ModSecurity 2.1.0)
> It would be very cool if this would syntax would work.
>=20
>=20
> Otherwise, after two months of remo, I am very much pleased with the
> possibilities of the ModSecurity rules language.
>=20
> regards,
>=20
> Christian
>=20
> --
> chr...@ne... - http://www.netnea.com
>=20
>=20
>=20
>=20
>
-----------------------------------------------------------------------
> --
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to
share
> your
> opinions on IT & business topics through brief surveys-and earn cash
>
http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D=
DEVD
> EV
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
|
|
From: Christian F. <chr...@ti...> - 2007-03-21 09:49:32
|
Hi Ofer,
thank you for your hints. I love feature requests that are
already implemented.
Quoting helps a lot. It works now, but the notation is a bit
awkward, as I had to escape the \d twice:
SecRule "ARGS:'/^uid_\\\d{1,5}$/'" ...
Actually "ARGS:'/^uid_[0-9]{1,5}$/'" works without any hassle though.
The double quotes seem to to be optional, but the
single quotes are a must.
Maybe single quoting of selector regexes should be pointed out in the
documentation. Possibly on page 30, where ARGS:/^id_/ is being introduced.
thank you once more,
Christian Folini
On Tue, Mar 20, 2007 at 06:23:38PM -0400, Ofer Shezaf wrote:
> Regarding the 2nd request, I think that you only need to add quotes:
>
> "ARGS:'/^uid_\d{1,5}$/'"
>
> I did not test this specifically today, but in a blog entry back in
> December
> I used a similar construct and worked fine:
>
> SecRule "&REQUEST_HEADERS:'/^(?i)x[-_]a{9,12}$/'" "@gt 0"
>
> I don't know if you need the double quotes also or only the single
> quotes.
>
> See:
> http://www.modsecurity.org/blog/archives/2006/12/using_modsecuri.html
>
> ~ Ofer
>
>
>
>
> > -----Original Message-----
> > From: mod...@li... [mailto:mod-
> > sec...@li...] On Behalf Of Christian
> > Folini
> > Sent: Monday, March 19, 2007 7:16 PM
> > To: Ivan Ristic
> > Cc: mod...@li...
> > Subject: [mod-security-users] Feature Requests (was: Re: Release of
> > remo0.1.3)
> >
> > On Thu, Mar 15, 2007 at 02:09:55PM +0000, Ivan Ristic wrote:
> > > >I have one or two feature requests for Mod. Should I post them to
> > the
> > > >list or to you in a private message?
> > >
> > > The list please.
> >
> > So here we go. I have two feature requests.
> >
> > - Seperate collections for query string parameters and post payload
> > arguments.
> > ARGS is a handy collection, but for a whitelist policy, I want to be
> > exact and right now I have to do a special hack with every post
> > parameter to make sure it is not submitted as query string argument
> > (and vice-versa). Seperate collections simplify my rulesets.
> > - Regex ranges in selection operator
> > While ARGS:/^uid_\d$/ works as selector ARGS:/^uid_\d{1,5}$/ does
> > not.
> > In fact I get the following during restart.
> > Error creating rule: Unknown variable: 5}$/
> > (ModSecurity 2.1.0)
> > It would be very cool if this would syntax would work.
> >
> >
> > Otherwise, after two months of remo, I am very much pleased with the
> > possibilities of the ModSecurity rules language.
> >
> > regards,
> >
> > Christian
> >
> > --
> > chr...@ne... - http://www.netnea.com
> >
> >
> >
> >
> >
> -----------------------------------------------------------------------
> > --
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to
> share
> > your
> > opinions on IT & business topics through brief surveys-and earn cash
> >
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVD
> > EV
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
|
|
From: Ivan R. <iva...@gm...> - 2007-03-28 13:12:57
|
On 3/19/07, Christian Folini <chr...@ti...> wrote: > On Thu, Mar 15, 2007 at 02:09:55PM +0000, Ivan Ristic wrote: > > >I have one or two feature requests for Mod. Should I post them to the > > >list or to you in a private message? > > > > The list please. > > So here we go. I have two feature requests. > > - Seperate collections for query string parameters and post payload > arguments. > ARGS is a handy collection, but for a whitelist policy, I want to be > exact and right now I have to do a special hack with every post > parameter to make sure it is not submitted as query string argument > (and vice-versa). Seperate collections simplify my rulesets. Agreed, that would be useful. -- Ivan Ristic |
|
From: Christian F. <chr...@ti...> - 2007-03-28 14:51:57
|
On Wed, Mar 28, 2007 at 02:12:53PM +0100, Ivan Ristic wrote: > >- Seperate collections for query string parameters and post payload > > arguments. > > ARGS is a handy collection, but for a whitelist policy, I want to be > > exact and right now I have to do a special hack with every post > > parameter to make sure it is not submitted as query string argument > > (and vice-versa). Seperate collections simplify my rulesets. > > Agreed, that would be useful. Thank you. Christian -- There's no sense in being pessimistic. It wouldn't work out anyway. --- Anonymous |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X