Thread: [mod-security-users] clam denied access
Brought to you by:
victorhora,
zimmerletw
From: Brent C. <bc...@ec...> - 2006-05-19 12:58:31
|
Hey all I seem to be having a problem with my internal web server. I run freshclam on this machine and I offer clam updates, but alas freshclam for my clients are failing. ==c6ce5900============================== Request: clamupdate.host.local 192.168.111.124 - - [19/May/2006:10:56:51 +0200] "GET /daily.cvd HTTP/1.1" 500 621 "-" "clamav/0.88.2" - "-" ---------------------------------------- GET /daily.cvd HTTP/1.1 Cache-Control: no-cache Connection: close Host: clamupdate.eccotours.local User-Agent: clamav/0.88.2 mod_security-action: 500 mod_security-message: Access denied with code 500. Pattern match "^$" at HEADER("Accept") HTTP/1.1 500 Internal Server Error Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 --c6ce5900-- anyone know how I can allow clams user agent to download the updates. Is this not something I too should post to Clam developers. Kind Regards Brent Clark |
From: Tom A. <tan...@oa...> - 2006-05-19 13:19:09
|
Brent, Either you need to remove your mod_security rule that corresponds to 'Pattern match "^$" at HEADER("Accept")', or you need to convince the Clam developers to pass an Accept header. Tom Brent Clark wrote: > Hey all > > I seem to be having a problem with my internal web server. > > I run freshclam on this machine and I offer clam updates, but alas > freshclam for my clients are failing. > > ==c6ce5900============================== > Request: clamupdate.host.local 192.168.111.124 - - [19/May/2006:10:56:51 > +0200] "GET /daily.cvd HTTP/1.1" 500 621 "-" "clamav/0.88.2" - "-" > ---------------------------------------- > GET /daily.cvd HTTP/1.1 > Cache-Control: no-cache > Connection: close > Host: clamupdate.eccotours.local > User-Agent: clamav/0.88.2 > mod_security-action: 500 > mod_security-message: Access denied with code 500. Pattern match "^$" at > HEADER("Accept") > > HTTP/1.1 500 Internal Server Error > Connection: close > Transfer-Encoding: chunked > Content-Type: text/html; charset=iso-8859-1 > --c6ce5900-- > > anyone know how I can allow clams user agent to download the updates. > > Is this not something I too should post to Clam developers. > > Kind Regards > Brent Clark > > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > |
From: kiran k <kir...@ya...> - 2006-05-21 02:19:15
|
Are there any tools which discovers web application from an input URL. I am looking for a tool which crawls recursively and finds the forms, form fields, server scripts, cookies and hidden fileds. Based on this information I would like to develop policies. If I have this data in xml it would be even better. Any quick starting point would be greatly appreciated, if no tools exists. How about any commercial libraries ? Thanks, --------------------------------- Ring'em or ping'em. Make PC-to-phone calls as low as 1¢/min with Yahoo! Messenger with Voice. |
From: Ryan B. <rcb...@gm...> - 2006-05-21 14:29:08
|
<Shameless Plug> I outline both manual and automated ruleset creations in my book "Preventin= g Web Attacks with Apache" - http://www.amazon.com/gp/product/0321321286/102-5050782-8736967?v=3Dglance&= n=3D283155 </Shameless Plug> You can use the Mod_Parmguard htmlspider perl script to do this - http://www.trickytools.com/parmguard/manual-1.3/generator.html This will get you most of the way there as it will crawl the site recursively, extract out all of the input forms, etc... and create whitelisted XML based rulesets for Mod_Parmguard to use. You will then hav= e to translate these into the comparable modsecurity format. For example - *# ./htmlspider.pl -h http://192.168.1.102/cgi-bin/wm.cgi* <?xml version=3D"1.0"?> <!DOCTYPE parmguard SYSTEM "mod_parmguard.dtd"> <!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <!-- SCANNING SUMMARY --> <!-- mod_parmguard Generator, version 1.2 --> <!-- Date of Scan: Thu May 12 15:54:52 2005 --> <!-- Start URL: http://192.168.1.102/cgi-bin/wm.cgi --> <!-- List of not parsed URLs --> <!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <parmguard> <url> <match>^/cgi-bin/wm.cgi</match> <parm name=3D".submit"> <type setby=3D"auto" name=3D"string"/> </parm> <parm name=3D"userid"> <type setby=3D"auto" name=3D"string"/> <attr setby=3D"auto" name=3D"maxlen" value=3D"16"/> </parm> <parm name=3D"pin"> <type setby=3D"auto" name=3D"string"/> <attr setby=3D"auto" name=3D"maxlen" value=3D"4"/> </parm> <parm name=3D"transaction"> <type setby=3D"auto" name=3D"string"/> <attr setby=3D"auto" name=3D"maxlen" value=3D"5"/> </parm> </url> </parmguard> You would then need to translate this mod_parmguard ruleset into modsecurit= y rules like this - - *Userid. *For the userid parameter, we want to restrict the input size to maximum of 16 numerical digits. - *PIN. *Similar to the userid data, we want to only allow four numerical digits for a pin parameter. - *Transaction. *In this case, the transaction parameter is a fixed character string of "login," so we want to make sure that this does not change. <LocationMatch "^/cgi-bin/wm.cgi"> SecFilterSelective ARG_userid "[0-9]{17,}" SecFilterSelective ARG_pin "[0-9]{5,}" SecFilterSelective ARG_transaction "!^login$" </LocationMatch> While this works, this is still a relatively manual process. If you have a large website, I would recommend that you try and update the htmlspider.plPERL code to automatically create modsecurity output rules. This is a similar concept as the existing snort2modsec.pl script. Hopefully this info helps. --=20 Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 5/20/06, kiran k <kir...@ya...> wrote: > > Are there any tools which discovers web application from an input URL. > > I am looking for a tool which crawls recursively and finds the forms, for= m > fields, server scripts, cookies and hidden fileds. Based on this > information I would like to develop policies. If I have this data in xml = it > would be even better. > > Any quick starting point would be greatly appreciated, if no tools > exists. How about any commercial libraries ? > > Thanks, > > ------------------------------ > Ring'em or ping'em. Make PC-to-phone calls as low as 1=A2/min<http://us.r= d.yahoo.com/mail_us/taglines/postman11/*http://us.rd.yahoo.com/evt=3D39666/= *http://voice.yahoo.com>with Yahoo! Messenger with Voice. > > |
From: kiran k <kir...@ya...> - 2006-05-21 19:38:16
|
Thanks Ryan, I tried htmlspider on mail.yahoo.com, it didn't generate any rules (form action points to https URL though). I tried on other plain website, which has login.php (no https, but it had uid, passwd parameters) that also didn't lead to any rules. I will get your book, will be worth every penny. Any ideas what is missing ? Ryan Barnett <rcb...@gm...> wrote: <Shameless Plug> I outline both manual and automated ruleset creations in my book "Preventing Web Attacks with Apache" - http://www.amazon.com/gp/product/0321321286/102-5050782-8736967?v=glance&n=283155 </Shameless Plug> You can use the Mod_Parmguard htmlspider perl script to do this - http://www.trickytools.com/parmguard/manual-1.3/generator.html This will get you most of the way there as it will crawl the site recursively, extract out all of the input forms, etc... and create whitelisted XML based rulesets for Mod_Parmguard to use. You will then have to translate these into the comparable modsecurity format. For example - # ./htmlspider.pl -h http://192.168.1.102/cgi-bin/wm.cgi <?xml version="1.0"?> <!DOCTYPE parmguard SYSTEM "mod_parmguard.dtd"> <!-- =============================================================== --> <!-- SCANNING SUMMARY --> <!-- mod_parmguard Generator, version 1.2 --> <!-- Date of Scan: Thu May 12 15:54:52 2005 --> <!-- Start URL: http://192.168.1.102/cgi-bin/wm.cgi --> <!-- List of not parsed URLs --> <!-- =============================================================== --> <parmguard> <url> <match>^/cgi-bin/wm.cgi</match> <parm name=".submit"> <type setby="auto" name="string"/> </parm> <parm name="userid"> <type setby="auto" name="string"/> <attr setby="auto" name="maxlen" value="16"/> </parm> <parm name="pin"> <type setby="auto" name="string"/> <attr setby="auto" name="maxlen" value="4"/> </parm> <parm name="transaction"> <type setby="auto" name="string"/> <attr setby="auto" name="maxlen" value="5"/> </parm> </url> </parmguard> You would then need to translate this mod_parmguard ruleset into modsecurity rules like this - Userid. For the userid parameter, we want to restrict the input size to maximum of 16 numerical digits. PIN. Similar to the userid data, we want to only allow four numerical digits for a pin parameter. Transaction. In this case, the transaction parameter is a fixed character string of "login," so we want to make sure that this does not change. <LocationMatch "^/cgi-bin/wm.cgi"> SecFilterSelective ARG_userid "[0-9]{17,}" SecFilterSelective ARG_pin "[0-9]{5,}" SecFilterSelective ARG_transaction "!^login$" </LocationMatch> While this works, this is still a relatively manual process. If you have a large website, I would recommend that you try and update the htmlspider.pl PERL code to automatically create modsecurity output rules. This is a similar concept as the existing snort2modsec.pl script. Hopefully this info helps. -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 5/20/06, kiran k <kir...@ya...> wrote: Are there any tools which discovers web application from an input URL. I am looking for a tool which crawls recursively and finds the forms, form fields, server scripts, cookies and hidden fileds. Based on this information I would like to develop policies. If I have this data in xml it would be even better. Any quick starting point would be greatly appreciated, if no tools exists. How about any commercial libraries ? Thanks, --------------------------------- Ring'em or ping'em. Make PC-to-phone calls as low as 1¢/min with Yahoo! Messenger with Voice. --------------------------------- Sneak preview the all-new Yahoo.com. It's not radically different. Just radically better. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
From: oliver k. <oli...@gm...> - 2006-05-21 09:43:43
|
babelweb is such a tool.... On Sat, 2006-05-20 at 19:19 -0700, kiran k wrote: > Are there any tools which discovers web application from an input URL. > > I am looking for a tool which crawls recursively and finds the forms, > form fields, server scripts, cookies and hidden fileds. Based on this > information I would like to develop policies. If I have this data in > xml it would be even better. > > Any quick starting point would be greatly appreciated, if no tools > exists. How about any commercial libraries ? > > Thanks, > > ______________________________________________________________________ > Ring'em or ping'em. Make PC-to-phone calls as low as 1¢/min with > Yahoo! Messenger with Voice. |
From: Ivan R. <iva...@gm...> - 2006-05-22 08:50:34
|
On 5/21/06, kiran k <kir...@ya...> wrote: > > Are there any tools which discovers web application from an input URL. > > I am looking for a tool which crawls recursively and finds the forms, for= m > fields, server scripts, cookies and hidden fileds. Based on this informat= ion > I would like to develop policies. If I have this data in xml it would be > even better. > > Any quick starting point would be greatly appreciated, if no tools exist= s. > How about any commercial libraries ? Your best bet might be the commercial tools (web application vulnerability scanners). But, IMHO, none of the tools I have seen are smart enough to work in a general case. For example, if the web site uses JavaScript or Flash for navigation the tool is not going to help you much. --=20 Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
From: kiran k <kir...@ya...> - 2006-05-25 20:43:51
|
Ok, with positive security there are no rules and it is based on usage pattern, anomalies would be flagged ? How you determine this behavioural model. It is counter-intuitive to acquire scanning tool to write the policies. How do you write positive security using the rules you mentioned manually. Can you show examples in the downloads ? -Kiran Ivan Ristic <iva...@gm...> wrote: On 5/21/06, kiran k wrote: > > Are there any tools which discovers web application from an input URL. > > I am looking for a tool which crawls recursively and finds the forms, form > fields, server scripts, cookies and hidden fileds. Based on this information > I would like to develop policies. If I have this data in xml it would be > even better. > > Any quick starting point would be greatly appreciated, if no tools exists. > How about any commercial libraries ? Your best bet might be the commercial tools (web application vulnerability scanners). But, IMHO, none of the tools I have seen are smart enough to work in a general case. For example, if the web site uses JavaScript or Flash for navigation the tool is not going to help you much. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642 _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users --------------------------------- Do you Yahoo!? Next-gen email? Have it all with the all-new Yahoo! Mail Beta. |
From: Ivan R. <iva...@gm...> - 2006-05-25 20:49:39
|
On 5/25/06, kiran k <kir...@ya...> wrote: > > Ok, with positive security there are no rules and it is based on usage > pattern, anomalies would be flagged ? Yes, there are rules. > How you determine this behavioural model. By observing the real-life traffic. > It is counter-intuitive to acquire > scanning tool to write the policies. The scanning tools cannot provide you with the real-life data. They can possibly enumerate the scripts and the parameters but not the data types. > How do you write positive security > using the rules you mentioned manually. Can you show examples in the > downloads ? I don't have any examples handy but the idea is to write a group of rules for each individual resource. These rules would examine every parameter, how many parameters there are with the same name, are there any extra parameters, for every parameter check the content, the length, etc. You can see that this can quickly turn into a very tedious job. --=20 Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
From: kiran k <kir...@ya...> - 2006-05-25 21:16:52
|
Can you elaborate what you are observing, web application will any number of parameters (not jut s.s# which has certain format), which could be explotied. How you record these observations, for later use ? What happens to performance if you have too many rules. Ivan Ristic <iva...@gm...> wrote: On 5/25/06, kiran k wrote: > > Ok, with positive security there are no rules and it is based on usage > pattern, anomalies would be flagged ? Yes, there are rules. > How you determine this behavioural model. By observing the real-life traffic. > It is counter-intuitive to acquire > scanning tool to write the policies. The scanning tools cannot provide you with the real-life data. They can possibly enumerate the scripts and the parameters but not the data types. > How do you write positive security > using the rules you mentioned manually. Can you show examples in the > downloads ? I don't have any examples handy but the idea is to write a group of rules for each individual resource. These rules would examine every parameter, how many parameters there are with the same name, are there any extra parameters, for every parameter check the content, the length, etc. You can see that this can quickly turn into a very tedious job. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid7521&bid$8729&dat1642 _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users --------------------------------- Do you Yahoo!? Next-gen email? Have it all with the all-new Yahoo! Mail Beta. |
From: Ivan R. <iva...@gm...> - 2006-05-25 21:26:31
|
On 5/25/06, kiran k <kir...@ya...> wrote: > > Can you elaborate what you are observing, web application will any number= of > parameters (not jut s.s# which has certain format), which could be > explotied. I am afraid I don't understand your question. You can read about my ideas here: http://www.modsecurity.org/blog/archives/2005/11/positive_secur= i.html (but that's not implemented). Also read this http://www.cs.ucsb.edu/~vigna/publications/2005_kruegel_vigna_robertson_CN0= 5.pdf > How you record these observations, for later use ? I record the entire transaction in the audit log, then put the audit logs into ModSecurity Console. So even if I change my algorithm I still have the raw data to work with. > What happens to performance if you have too many rules. That depends on how fast is the server you are using. I've never had problem with performance with ModSecurity, although I am sure it's quite easy to shoot yourself in the foot with too many rules. --=20 Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
From: Alexx A. <zm...@ya...> - 2006-05-26 12:01:13
|
Let me join your exciting discussion! It's a topic I'm very intrested in! --- Ivan Ristic <iva...@gm...> wrote: > I am afraid I don't understand your question. You > can read about my > ideas here: > http://www.modsecurity.org/blog/archives/2005/11/positive_securi.html > (but that's not implemented). Also read this > http://www.cs.ucsb.edu/~vigna/publications/2005_kruegel_vigna_robertson_CN05.pdf Ivan, I'd like to try to implement ideas mentioned in the link you provided above ( I read this paper and some others from the same authors by this topic ) in some way, perhaps using your module. Do your further plans include support for this kind of positive security model ( I mean anomaly-based?). And how do you think - what will be the best choice for store theese rules ( based on trafic in trainig mode )? Raw format, structers, xml anything else? In my opinion, format for store is rather important, because we should store rules for ALL applications on our server ( rules for every application differ ) and it could cause lot's of data to store, am I right? I found, that other vendors such as Imperva (SecureSphere 3.3), Netcontinuum, Kavado (Defiance TMS 3.1) had already implemented support for positive security model based on dynamic rules generation. It's really intresting for me which way did they choose %) > -- > Ivan Ristic, Technical Director > Thinking Stone, http://www.thinkingstone.com > ModSecurity: Open source Web Application Firewall ---------------- Best regards, Alexander __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
From: Ivan R. <iva...@gm...> - 2006-05-26 19:12:28
|
On 5/26/06, kiran k <kir...@ya...> wrote: > > Ivan: > > I am afraid, dont understand design document, very little detail. It's not a design document - it's a blog post. > first > approach says developer to publish the constraints, if known they would > check them in the application itself and no need for WAF right ? Yes, wouldn't that be great? > Again in the email thread below you will look int the audit logs. no need= to > go through the audit logs for each request, only once after training, you > build rules out of historic data. How to correlate rules out of these log= s > is challenge. More info on the design please. I don't have any info to share - I haven't built that part yet. --=20 Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
From: Ivan R. <iva...@gm...> - 2006-05-26 19:21:13
|
On 5/26/06, Alexx Alexx <zm...@ya...> wrote: > Ivan, I'd like to try to implement ideas mentioned in > the link you provided above ( I read this paper and > some others from the same authors by this topic ) in > some way, perhaps using your module. > Do your further plans include support for this kind of > positive security model ( I mean anomaly-based?). I do plan to offer an anomaly based model but it isn't going to be statistical. I'll probably go with a heuristics-based approach becasue that can be manually tweaked (unlike the statistical approach). At least one thing is certain: I will add a couple of more features to ModSecurity to support the positive model. The rest is going to be implemented as an add-on to the Console. FYI, in spite of my plans, I'd be happy to promote your implementation on modsecurity.org. > And how do you think - what will be the best choice > for store theese rules ( based on trafic in trainig > mode )? Raw format, structers, xml anything else? > In my opinion, format for store is rather important, > because we should store rules for ALL applications on > our server ( rules for every application differ ) and > it could cause lot's of data to store, am I right? Not necessarily. For my approach I will either store the info in the database or in the XML file. But I am not going to extend ModSecurity to support access the database or read XML. The new ModSecuruty Rule Language is rich enough so I'm going to convert whatever intermediatery data I have into native ModSecurity rules. --=20 Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
From: Alexx A. <zm...@ya...> - 2006-05-28 15:49:14
|
--- Ivan Ristic <iva...@gm...> wrote: > On 5/26/06, Alexx Alexx <zm...@ya...> wrote: > > Ivan, I'd like to try to implement ideas mentioned > in > > the link you provided above ( I read this paper > and > > some others from the same authors by this topic ) > in > > some way, perhaps using your module. > > Do your further plans include support for this > kind of > > positive security model ( I mean anomaly-based?). > > I do plan to offer an anomaly based model but it > isn't going to be > statistical. I'll probably go with a > heuristics-based approach becasue > that can be manually tweaked (unlike the statistical > approach). Could you explain what do you mean by "heuristics-based approach", perhaps you could give some simple examples? And why do you think, that staticstical approach can't be tweaked manually? This approach depends on thresholds that can be manually adjustable, or I didn't catch you thought? > At least one thing is certain: I will add a couple > of more features to ModSecurity to support the positive model. The rest is going to be > implemented as an add-on to the Console. > > FYI, in spite of my plans, I'd be happy to promote > your implementation on modsecurity.org. Thanks a lot, but at first it should be implemented %) > > > And how do you think - what will be the best > choice for store theese rules ( based on trafic in > trainig mode )? > Not necessarily. For my approach I will either store > the info in the database or in the XML file. But I am not going to extend ModSecurity > to support access the database or read XML. The new > ModSecuruty Rule Language is rich enough so I'm going to convert whatever intermediatery data I have into native ModSecurity rules. "Native ModSecurity rules" - do you mean this project? http://www.modsecurity.org/projects/ppr/index.html Do you mean, that you'll generate a rule in native format on-the-fly and use it in processing? Or all rules will be generated during trainng phase and then stored in one "rules-file" that will be used during processing ( or loaded in memory )? > -- > Ivan Ristic, Technical Director > Thinking Stone, http://www.thinkingstone.com > ModSecurity: Open source Web Application Firewall > ---------------- Best regards, Alexander __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
From: Ivan R. <iva...@gm...> - 2006-05-28 18:45:18
|
On 5/28/06, Alexx Alexx <zm...@ya...> wrote: > > Could you explain what do you mean by > "heuristics-based approach", perhaps you could give > some simple examples? Identify application resources (scripts, images, etc). For each resource: lock down request methods, encodings, identify parameters. For each parameter: determine cardinality (optional, mandatory, more than one - up to how many), type (e.g. file or field), length, content (e.g. use regular expression), etc... > And why do you think, that staticstical approach can't > be tweaked manually? This approach depends on > thresholds that can be manually adjustable, or I > didn't catch you thought? You are right, it can be tweaked but it's more difficult to understand by a typical user. I believe the approach I briefly described above is easier to use in real life. > > FYI, in spite of my plans, I'd be happy to promote > > your implementation on modsecurity.org. > > Thanks a lot, but at first it should be implemented %) I have to say things like that so that people are clear that my having commercial plans does not mean I will be trying to prevent other people from doing the same thing... > Do you mean, that you'll generate a rule in native > format on-the-fly and use it in processing? > Or all rules will be generated during trainng phase > and then stored in one "rules-file" that will be used > during processing ( or loaded in memory )? ModSecurity itself will not have any logic related to positive security. It will send the audit logs to the Console. Console will learn about the application, create native ModSecurity rules and feed them back to the sensor. BTW, I will want to avoid having a training phase. I belive continual learning is better. --=20 Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
From: Alexx A. <zm...@ya...> - 2006-05-28 15:55:49
|
Kiran, are you developing application that use positive security model? What appproach are you oging to use? --- kiran k <kir...@ya...> wrote: > Ivan: > > I am afraid, dont understand design document, > very little detail. first approach says developer > to publish the constraints, if known they would > check them in the application itself and no need for > WAF right ? > > Again in the email thread below you will look int > the audit logs. no need to go through the audit logs > for each request, only once after training, you > build rules out of historic data. How to correlate > rules out of these logs is challenge. More info on > the design please. > > > Alexx Alexx <zm...@ya...> wrote: > Let me join your exciting discussion! > It's a topic I'm very intrested in! > > --- Ivan Ristic wrote: > > > I am afraid I don't understand your question. You > > can read about my > > ideas here: > > > http://www.modsecurity.org/blog/archives/2005/11/positive_securi.html > > (but that's not implemented). Also read this > > > http://www.cs.ucsb.edu/~vigna/publications/2005_kruegel_vigna_robertson_CN05.pdf > ---------------- Best regards, Alexander __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
From: Tom A. <tan...@oa...> - 2006-05-22 13:19:40
|
kiran k wrote: > Are there any tools which discovers web application from an input URL. > > I am looking for a tool which crawls recursively and finds the forms, > form fields, server scripts, cookies and hidden fileds. Based on this > information I would like to develop policies. If I have this data in xml > it would be even better. > > Any quick starting point would be greatly appreciated, if no tools > exists. How about any commercial libraries ? You could look at Firefox's "DOM Inspector". I think it will handle Javascript and such. I don't think it will recursively crawl a site, but it's open-source, so you could just pull the parser and write your own crawler portion or lift it from a robot. Tom |