|
From: CASTELLE T. <tca...@ge...> - 2006-02-08 09:08:44
|
Hello, Another small question about modsecurity rules : Is it possible to improve these rules : SecFilterSelective ARGS "select.+from" SecFilterSelective ARGS "union.+select" SecFilterSelective ARGS "update.+set.+=3D" Because we have quite a few false positives on our websites. For = instance : http://www.foo.net/blablabla/toto.jsp?test=3Dblabla%20SELECTION%20blabla= &test2 =3D29300230&test3=3D+&test4=3D+&test5=3D+&test4=3D%2Fblablabla%26frombla= blabla Regards, Thomas. -----Message d'origine----- De=A0: Ivan Ristic [mailto:iv...@we...]=20 Envoy=E9=A0: mercredi 1 f=E9vrier 2006 15:07 =C0=A0: CASTELLE Thomas Cc=A0: mod...@li... Objet=A0: Re: [mod-security-users] mod_security rules feature request + = pro duction tools ? CASTELLE Thomas wrote: > Well, I looked quickly on the Internet and it seems that it could = happen > with IE-specific websites : > http://msdn.microsoft.com/library/default.asp?url=3D/workshop/author/dht= ml/ref erence/events.asp Yes, but that would already be handled with onSelect[[:space:]]*=3D I don't think the second part =3D[[:space:]]*onSelect is needed. > Two other questions : > - Do you think you'll provide a simple tool to automatically download > new rulesets, compare them with the ones in production, detect = changes > and integrate them in the production environment, like the > "rule-du-jour" script for spamassassin ? I don't have any immediate plans. It's like this: I can either choose to work on ModSecurity itself or on the related utilities. = ModSecurity wins every time. I appreciate that it's not easy to start = contributing to ModSecurity because of the complexities involved but it'd be = really nice to see someone step up and work on the related utilities. (Also I am not sure there is a need for something like that because I don't see the generic rules changing often.) > - Do you know if a modsecurity log analysis tool exists ? One that = could > generate a human-readable report daily with the different events > detected or blocked ? No, but I am working on a commercial tool for real-time log aggregation and reporting at the moment. A beta should be available in the next couple of weeks. --=20 Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934 |
|
From: Tom A. <tan...@oa...> - 2006-02-08 14:25:32
|
CASTELLE Thomas wrote: > Is it possible to improve these rules : > > SecFilterSelective ARGS "select.+from" > SecFilterSelective ARGS "union.+select" > SecFilterSelective ARGS "update.+set.+=" > > Because we have quite a few false positives on our websites. For instance : > > http://www.foo.net/blablabla/toto.jsp?test=blabla%20SELECTION%20blabla&test2=29300230&test3=+&test4=+&test5=+&test4=%2Fblablabla%26fromblablabla > <http://www.foo.net/blablabla/toto.jsp?test=blabla%20SELECTION%20blabla&test2=29300230&test3=+&test4=+&test5=+&test4=%2Fblablabla%26fromblablabla> These rules are way too inclusive and generic. They will tend to match nearly any sufficiently long text. You need to make them much more specific. Since it's nearly impossible to consider every possible combination of strings which could possibly be executed as SQL, including extra spacing and ignored characters, you need to limit such filters only to programs and variables which deal directly with database queries. Any other use is superfluous anyway. For instance, if you wanted to protect a program called "search.cgi", where a form field called "string" is used to construct an SQL query, and there is no sanitation written into "search.cgi", and you cannot add it, you might use this filter: SecFilterSelective THE_REQUEST "search.cgi" chain SecFilterSelective ARG_string "update.+?set.+?=" Of course, this might cause a problem if your site is a search engine, encyclopedia, or discussion forum which might include topics about SQL or even interior decorating (eg. "I want to update my dining room set to something more formal"). That's why it's better to sanitize input such as this (escape special characters, etc.) rather than filter it. Tom |
|
From: Ivan R. <iv...@we...> - 2006-02-08 18:32:29
|
CASTELLE Thomas wrote: > Hello, > > Another small question about modsecurity rules : > > Is it possible to improve these rules : > > SecFilterSelective ARGS "select.+from" > SecFilterSelective ARGS "union.+select" > SecFilterSelective ARGS "update.+set.+=" > > Because we have quite a few false positives on our websites. That's a difficult one, because SQL is essentially English. It may be possible to reduce the number of false positives (but not avoid them altogether) with something like: SecFilterSelective ARGS_VALUES "select[[:space:]].+[[:space:]]from" Looking at parameters individually is likely to reduce the number although it allows for one part of the injection string to go into one parameter and the other into some other parameter. Also, even the original signature does not address this type of attack completely. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
