Thread: [mod-security-users] Rules database
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Roman Medina-H. H. <ro...@rs...> - 2005-04-04 11:34:49
|
Hi, I'm interested in protecting webapps in a "generic way" (more or less :-)), which means that if I choose to install a PHP-Nuke portal and a new SQL injection bug in that portal is disclosed, it will not be exploitable (the code would still be buggy until patching, but that's unavoidable). Of course, the idea is to catch the more kind of bugs being possible (not only SQL injection, but directory traversal, remote PHP script injection, shell injection, etc). I visited: http://www.modsecurity.org/db/rules/ But I got a bit disappointed when I saw only 4 rules :-(. The db seems to be discontinued... ? I'm wondering whether: 1) There are other "repositories" for mod-security rules, or 2) Some of you, security-specialists, would be kind enough to share the rules you have, ideas, etc. Other repositories (not direcly related to Mod-security but perhaps easily "convertible" to; for instance, rules from other IPS devices) may also be interesting. Hope hearing from you, guys :-) Kind regards, -Rom=E1n |
|
From: Gerwin K. -|- D. W. <ge...@di...> - 2005-04-04 11:43:42
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Rom=E1n, You could try http://www.gotroot.com/downloads/ftp/mod_security/rules.con= f It has a LOT of rules. Hope it's helpfull. Gerwin Roman Medina-Heigl Hernandez wrote: | Hi, | | I'm interested in protecting webapps in a "generic way" (more or less | :-)), which means that if I choose to install a PHP-Nuke portal and a | new SQL injection bug in that portal is disclosed, it will not be | exploitable (the code would still be buggy until patching, but that's | unavoidable). Of course, the idea is to catch the more kind of bugs | being possible (not only SQL injection, but directory traversal, remote | PHP script injection, shell injection, etc). | | I visited: | http://www.modsecurity.org/db/rules/ | But I got a bit disappointed when I saw only 4 rules :-(. The db seems | to be discontinued... ? | | I'm wondering whether: | 1) There are other "repositories" for mod-security rules, or | 2) Some of you, security-specialists, would be kind enough to share the | rules you have, ideas, etc. | | Other repositories (not direcly related to Mod-security but perhaps | easily "convertible" to; for instance, rules from other IPS devices) ma= y | also be interesting. | | Hope hearing from you, guys :-) | | Kind regards, | -Rom=E1n | | | ------------------------------------------------------- | SF email is sponsored by - The IT Product Guide | Read honest & candid reviews on hundreds of IT Products from real users= . | Discover which products truly live up to the hype. Start reading now. | http://ads.osdn.com/?ad_ide95&alloc_id=14396&op=3Dclick | _______________________________________________ | mod-security-users mailing list | mod...@li... | https://lists.sourceforge.net/lists/listinfo/mod-security-users | | - -- Met vriendelijke groet/With kind regards, Gerwin Krist Digitalus First-class Internet Webhosting (w) http://www.digitalus.nl (e) gerwin at digitalus.nl (p) PGP-ID: 79B325D4 (t) +31 (0) 598 630000 (f) +31 (0) 598 631860 *************************************************************************= ************** This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediate= ly by reply e-mail and delete this message and any attachments without retaining a copy. *************************************************************************= ************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCUURpCwaJ0XmzJdQRAptKAJ9z4nIiA97D8L5yymPrVy0B4H6grwCgsqKJ fgDHNrw60VOfIHzKy2NkN+w=3D =3DynvG -----END PGP SIGNATURE----- |
|
From: Roman Medina-H. H. <ro...@rs...> - 2005-04-04 14:14:41
|
Gerwin Krist -|- Digitalus Webhosting wrote: > You could try http://www.gotroot.com/downloads/ftp/mod_security/rules.c= onf It looks nice. But it seems to be having problems in Apache 1.x (according to the comments). Do you know if they've been fixed? I also read one thread at gotroot.com but it didn't contain specific info about the issue. I still have to review the link provided by Alberto (my proxy doesn't load it, I'll try again l8r). Thanks to both, Gerwin & Alberto :-) Regards, -Rom=E1n |
|
From: Michael S. <mi...@sh...> - 2005-04-08 21:09:51
|
On Mon, 2005-04-04 at 16:14 +0200, Roman Medina-Heigl Hernandez wrote: > Gerwin Krist -|- Digitalus Webhosting wrote: >=20 > > You could try http://www.gotroot.com/downloads/ftp/mod_security/rules.c= onf >=20 > It looks nice. But it seems to be having problems in Apache 1.x > (according to the comments). Do you know if they've been fixed? I also > read one thread at gotroot.com but it didn't contain specific info about > the issue. Hi, I'm the author of those rules. The rules that choke on apache 1.x deal with my use of pcre regex'es while Apache 1.x apparently only supports POSIX regex's. The solution is that I need to convert all those regex's to POSIX regex's for the legacy Apache 1.x systems. Otherwise, the rules should work fine. Its just a regex formating issue for the two platforms. >=20 > I still have to review the link provided by Alberto (my proxy doesn't > load it, I'll try again l8r). >=20 > Thanks to both, Gerwin & Alberto :-) >=20 > Regards, > -Rom=C3=A1n >=20 >=20 >=20 >=20 > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_ide95&alloc_id=14396&op=3Dclick > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users --=20 Michael T. Shinn KeyID:370A4CAB Key Fingerprint: 0057 437C D882 ECFF 716B 7BD6 6E3B F5BA 370A 4CAB http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x370A4CAB 1st security axiom: Attacks always get better; they never get worse. |
|
From: Ivan R. <iv...@we...> - 2005-04-11 09:14:45
|
Michael Shinn wrote: > On Mon, 2005-04-04 at 16:14 +0200, Roman Medina-Heigl Hernandez wrote: > >>Gerwin Krist -|- Digitalus Webhosting wrote: >> >> >>>You could try http://www.gotroot.com/downloads/ftp/mod_security/rules.conf >> >>It looks nice. But it seems to be having problems in Apache 1.x >>(according to the comments). Do you know if they've been fixed? I also >>read one thread at gotroot.com but it didn't contain specific info about >>the issue. > > > Hi, I'm the author of those rules. The rules that choke on apache 1.x > deal with my use of pcre regex'es while Apache 1.x apparently only > supports POSIX regex's. The solution is that I need to convert all > those regex's to POSIX regex's for the legacy Apache 1.x systems. > Otherwise, the rules should work fine. If you could send me the translation algorithm, I could try and put it right into the Apache 1.x version, so the translation would happen at runtime with both versions supporting the same format? -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Michael S. <mi...@sh...> - 2005-04-17 15:40:52
|
On Mon, 2005-04-11 at 10:16 +0100, Ivan Ristic wrote: > Michael Shinn wrote: > > On Mon, 2005-04-04 at 16:14 +0200, Roman Medina-Heigl Hernandez wrote: > >=20 > >>Gerwin Krist -|- Digitalus Webhosting wrote: > >> > >> > >>>You could try http://www.gotroot.com/downloads/ftp/mod_security/rules.= conf > >> > >>It looks nice. But it seems to be having problems in Apache 1.x > >>(according to the comments). Do you know if they've been fixed? I also > >>read one thread at gotroot.com but it didn't contain specific info abou= t > >>the issue. > >=20 > >=20 > > Hi, I'm the author of those rules. The rules that choke on apache 1.x > > deal with my use of pcre regex'es while Apache 1.x apparently only > > supports POSIX regex's. The solution is that I need to convert all > > those regex's to POSIX regex's for the legacy Apache 1.x systems. > > Otherwise, the rules should work fine. >=20 > If you could send me the translation algorithm, I could try and > put it right into the Apache 1.x version, so the translation would > happen at runtime with both versions supporting the same format? That would certainly be a much easier solution for me. :-) --=20 Michael T. Shinn KeyID:370A4CAB Key Fingerprint: 0057 437C D882 ECFF 716B 7BD6 6E3B F5BA 370A 4CAB http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x370A4CAB 1st security axiom: Attacks always get better; they never get worse. |
|
From: Alberto G. I. <ag...@in...> - 2005-04-04 12:34:51
|
On Mon, Apr 04, 2005 at 01:34:30PM +0200, Roman Medina-Heigl Hernandez wr= ote: > I'm wondering whether: > 1) There are other "repositories" for mod-security rules, or You can try at: http://modsecrules.monkeydev.org/index.php It's quite new, but growing fast. Regards, Alberto --=20 Alberto Gonzalez Iniesta | Formaci=F3n, consultor=EDa y soporte t=E9cn= ico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint =3D 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 |
|
From: Ivan R. <iv...@we...> - 2005-04-04 14:29:03
|
Roman Medina-Heigl Hernandez wrote: > I visited: > http://www.modsecurity.org/db/rules/ > But I got a bit disappointed when I saw only 4 rules :-(. The db seems > to be discontinued... ? It never took off. At the last minute I decided a repository of rules that worked only in mod_security was not the best way forward. Instead, I designed the portable web application firewall rule format http://www.modsecurity.org/projects/wasprotect/. The plan is to implement a portable rule database in Q3 this year, with the support of other web application firewall vendors. To be honest, there was another reason - I spent eight months last year writing the book, so I didn't have time to do anything else. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Tom A. <tan...@oa...> - 2005-04-04 14:51:57
|
----- Original Message ----- From: "Ivan Ristic" <iv...@we...> To: <mod...@li...> Sent: Monday, April 04, 2005 10:33 AM Subject: Re: [mod-security-users] Rules database > Roman Medina-Heigl Hernandez wrote: >> I visited: >> http://www.modsecurity.org/db/rules/ >> But I got a bit disappointed when I saw only 4 rules :-(. The db seems >> to be discontinued... ? > > It never took off. At the last minute I decided a repository > of rules that worked only in mod_security was not the best > way forward. Instead, I designed the portable web application > firewall rule format http://www.modsecurity.org/projects/wasprotect/. OMG, that looks horrible! Please don't make that the only accepted format. I hate dealing with completely useless markup which can just as easily be implied. It just clutters up the configuration with non-info and bloats your file sizes. The best thing about working in unix environments is that everything is kept short and sweet. Human readability is key. SecFilterSelective "ARG_open" ^sesame$ (38 chars) vs <rule operator="regex" arg="params['open']" value="^sesame$" /> (63 chars) Multiply that by your whole configuration file... what a mess! XML is good for sharing rules between systems, but not for human maintained configs. Tom |
|
From: Ivan R. <iv...@we...> - 2005-04-04 15:03:31
|
Tom Anderson wrote: > >> It never took off. At the last minute I decided a repository >> of rules that worked only in mod_security was not the best >> way forward. Instead, I designed the portable web application >> firewall rule format http://www.modsecurity.org/projects/wasprotect/. > > OMG, that looks horrible! :) It will look even worse when a layer of meta-data is added to it. > Please don't make that the only accepted > format. ModSecurity will support both formats in version 2, so don't worry. > Human readability is key. I agree. > XML is good for sharing rules between systems, but not for human > maintained configs. Again, I agree. The new XML-based format was designed just for that purpose (sharing between systems), hence the added complexity. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Roman Medina-H. H. <ro...@rs...> - 2005-04-04 15:12:21
|
Ivan Ristic wrote: > ModSecurity will support both formats in version 2, so don't > worry. [...] > Again, I agree. The new XML-based format was designed just for > that purpose (sharing between systems), hence the added > complexity. Then perhaps you'd not need to include support for ModSecurity. A simple conversion tool (ensuring you can translate modsecurity format <-> XML format) would suffice... Regards, -Rom=E1n |
|
From: Ivan R. <iv...@we...> - 2005-04-04 15:33:38
|
Roman Medina-Heigl Hernandez wrote: > Ivan Ristic wrote: > >> ModSecurity will support both formats in version 2, so don't >> worry. > > > [...] > > >> Again, I agree. The new XML-based format was designed just for >> that purpose (sharing between systems), hence the added >> complexity. > > > Then perhaps you'd not need to include support for ModSecurity. A simple > conversion tool (ensuring you can translate modsecurity format <-> XML > format) would suffice... Perhaps. Right now the XML format can do a few things ModSecurity native cannot but I can probably rectify that in 2.0. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Christian M. <cma...@is...> - 2005-04-04 14:29:30
|
Hi Roman: When i tried the modsecurity, i used a script to convert snort rules to=20 modsecurity rules, maybe you could do that to initialize your rules=20 database, and then optimize the set of rules. Here is the link: http://www.modsecurity.org/documentation/converted-snort-rules.html Cheers Christian Martorella Roman Medina-Heigl Hernandez wrote: >Hi, > >I'm interested in protecting webapps in a "generic way" (more or less >:-)), which means that if I choose to install a PHP-Nuke portal and a >new SQL injection bug in that portal is disclosed, it will not be >exploitable (the code would still be buggy until patching, but that's >unavoidable). Of course, the idea is to catch the more kind of bugs >being possible (not only SQL injection, but directory traversal, remote >PHP script injection, shell injection, etc). > >I visited: >http://www.modsecurity.org/db/rules/ >But I got a bit disappointed when I saw only 4 rules :-(. The db seems >to be discontinued... ? > >I'm wondering whether: >1) There are other "repositories" for mod-security rules, or >2) Some of you, security-specialists, would be kind enough to share the >rules you have, ideas, etc. > >Other repositories (not direcly related to Mod-security but perhaps >easily "convertible" to; for instance, rules from other IPS devices) may >also be interesting. > >Hope hearing from you, guys :-) > >Kind regards, >-Rom=E1n > > >------------------------------------------------------- >SF email is sponsored by - The IT Product Guide >Read honest & candid reviews on hundreds of IT Products from real users. >Discover which products truly live up to the hype. Start reading now. >http://ads.osdn.com/?ad_ide95&alloc_id=14396&op=3Dclick >_______________________________________________ >mod-security-users mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-users > > =20 > |
|
From: Javier Fernandez-S. <jfe...@ge...> - 2005-04-04 15:24:15
|
Christian Martorella wrote: > Hi Roman: > When i tried the modsecurity, i used a script to convert snort rules to > modsecurity rules, maybe you could do that to initialize your rules > database, and then optimize the set of rules. > Unfortunately, that script does not work as expected and cleaning up is time consuming. I sent a patch to the list a while back that Ivan applied to the CVS, I would suggest you used http://cvs.sourceforge.net/viewcvs.py/mod-security/mod_security/util/ instead. BTW, I also sent a while back (October last year [1]) a script to convert Nessus NASL plugins into modsecurity rules, it needs to be improved upon, but could also prove useful. Regards Javier [1]Message-ID: <418...@ge...> |
Thanks for helping keep SourceForge clean.
X