Thread: [mod-security-users] Verifying credit cards
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Matthew T. <mj...@gm...> - 2008-01-10 21:43:35
|
Hello, I'm trying to setup something to verify that credit card numbers are not returned (phase 4 I believe). Easily enough I can setup a regex to verify - but that could lead to false positives. I know that you can execute an external script when you get a match, but can you then get the results of that external script? I'd just like to run a Luhn check on the number, if it comes back positive then I'll react, otherwise I'll let it through. Any help is appreciated. Thanks, Matt |
|
From: Chris W. <c.d...@re...> - 2008-01-10 21:52:25
|
Ofer discussed this very thing in the Modsecurity Blog http://www.modsecurity.org/blog/archives/2008/01/detecting_credi.html Chris Matthew Tice wrote: > Hello, > > I'm trying to setup something to verify that credit card numbers are not > returned (phase 4 I believe). > > Easily enough I can setup a regex to verify - but that could lead to false > positives. I know that you can execute an external script when you get a > match, but can you then get the results of that external script? > I'd just like to run a Luhn check on the number, if it comes back positive > then I'll react, otherwise I'll let it through. Any help is appreciated. > > Thanks, > > Matt > > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > > > ------------------------------------------------------------------------ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users -- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d...@re... IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094 |
|
From: Vladimir H. <ad...@oi...> - 2008-01-10 21:54:03
|
Hello, Trying to generate a report on demand (modsec console) for past day. Always receiving as result error 500 "internal server error". Where may be a problem? Best regards, Vladimir Hrusca |
|
From: Ryan B. <Rya...@Br...> - 2008-01-10 22:11:03
|
As a reference, did you see the recent Blog post by Ofer on Detecting Credit Card Numbers in Network Traffic - http://www.modsecurity.org/blog/archives/2008/01/detecting_credi.html =20 A few comments - =20 * You are correct in that if you want to identify/block outbound payloads that have CC #s, then you do need run your rules in phase:4 (response body). * You can use RegExs to help attempt to identify CC however that alone will still yield some false positives. I have run into this issue quite a lot during the WASC distributed open proxy honeypot project. Sites that use Google's Ad-client javascript code, for example, will often match a CC RegEx (as mentioned in Ofer's Blog post). * Ofer's Blog post also mentions doing a Luhn check, however keep in mind that still 1 out of 10 #s will still return true... * You could run an "exec" action to have an external script run the Luhn check against the data. =20 FYI - we (Breach) have addressed this issue in our commercial Enhanced Rule set by including an additional module to create a new @verifyCC operator that will run the Luhn check against the captured CC RegEx matches. =20 Hope this helps. =20 --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of Matthew Tice Sent: Thursday, January 10, 2008 4:44 PM To: mod...@li... Subject: [mod-security-users] Verifying credit cards =20 Hello,=20 I'm trying to setup something to verify that credit card numbers are not returned (phase 4 I believe). Easily enough I can setup a regex to verify - but that could lead to false positives. I know that you can execute an external script when you get a match, but can you then get the results of that external script?=20 I'd just like to run a Luhn check on the number, if it comes back positive then I'll react, otherwise I'll let it through. Any help is appreciated. Thanks, Matt |
|
From: Thomas A. <tan...@oa...> - 2008-08-24 02:57:05
|
In 00_asl_rbl.conf, I would recommend against making sbl-xbl.spamhaus.org a default block list. XBL sources IPs from CBL (Composite Block List) from cbl.abuseat.org, which commonly lists dynamic IPs as a policy. I had a client unable to use his administrative interface recently because he unfortunately received an IP from Verizon which was listed. SBL.spamhaus.org I think is less likely to have false positives due to dyanamic IPs. Also, SORBS offers a lot of more targetted lists... http://www.au.sorbs.net/using.shtml. That's not to say that some people may not want to block dyamic IPs previously found to be sending viruses and worms, but it's much more prone to false positives, which I don't think should be a default. Tom |
|
From: Ryan B. <Rya...@Br...> - 2008-08-24 18:19:17
|
> -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Thomas Anderson > Sent: Saturday, August 23, 2008 10:57 PM > To: mod...@li... > Subject: [mod-security-users] xbl.spamhaus.org > > In 00_asl_rbl.conf, I would recommend against making > sbl-xbl.spamhaus.org a default block list. [Ryan Barnett] Tom, that rules file is from GotRoot and is not supported by Breach Security. Have you tried posting this on their user forum? http://www.gotroot.com/tiki-view_forum.php?forumId=35. XBL sources IPs from CBL > (Composite Block List) from cbl.abuseat.org, which commonly lists > dynamic IPs as a policy. I had a client unable to use his > administrative interface recently because he unfortunately received an > IP from Verizon which was listed. SBL.spamhaus.org I think is less > likely to have false positives due to dyanamic IPs. Also, SORBS offers > a lot of more targetted lists... http://www.au.sorbs.net/using.shtml. > That's not to say that some people may not want to block dyamic IPs > previously found to be sending viruses and worms, but it's much more > prone to false positives, which I don't think should be a default. [Ryan Barnett] I agree with you. We have discussed some thoughts on selecting the proper RBL to use for various scenarios in previous list postings - http://osdir.com/ml/apache.mod-security.user/2007-11/msg00003.html |
|
From: Ivan R. <iva...@gm...> - 2008-01-11 10:10:16
|
On Jan 10, 2008 10:09 PM, Ryan Barnett <Rya...@br...> wrote: > > ... > > FYI =96 we (Breach) have addressed this issue in our commercial Enhanced = Rule > set by including an additional module to create a new @verifyCC operator > that will run the Luhn check against the captured CC RegEx matches. The code for the @verifyCC operator has since been included in ModSecurity, starting with the 2.5 branch: http://www.modsecurity.org/documentation/modsecurity-apache/2.5.0-rc1/modse= curity2-apache-reference.html#N1183E > Hope this helps. > > > > > > > -- > Ryan C. Barnett > ModSecurity Community Manager > > Breach Security: Director of Training > > Web Application Security Consortium (WASC) Member > > CIS Apache Benchmark Project Lead > > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > Author: Preventing Web Attacks with Apache > > > > > ________________________________ > > > From: mod...@li... > [mailto:mod...@li...] On Behalf Of > Matthew Tice > Sent: Thursday, January 10, 2008 4:44 PM > To: mod...@li... > Subject: [mod-security-users] Verifying credit cards > > > > > > Hello, > > I'm trying to setup something to verify that credit card numbers are not > returned (phase 4 I believe). > > Easily enough I can setup a regex to verify - but that could lead to fal= se > positives. I know that you can execute an external script when you get a > match, but can you then get the results of that external script? > I'd just like to run a Luhn check on the number, if it comes back positi= ve > then I'll react, otherwise I'll let it through. Any help is appreciated. > > Thanks, > > Matt > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketpl= ace > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > --=20 Ivan Ristic |
|
From: Matthew T. <mj...@gm...> - 2008-01-11 14:30:21
|
Very good, thanks for all the info everyone. Matt |
|
From: Ivan R. <iva...@gm...> - 2008-01-11 10:11:17
|
There should be an error message in the debug log to tell you what went wrong... On Jan 10, 2008 9:53 PM, Vladimir Hrusca <ad...@oi...> wrote: > > Hello, > > Trying to generate a report on demand (modsec console) for past day. Always > receiving as result error 500 "internal server error". Where may be a > problem? > > > > Best regards, > > Vladimir Hrusca > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > -- Ivan Ristic |
|
From: Vladimir H. <ad...@oi...> - 2008-01-11 10:47:27
|
It is: Jan 11, 2008 11:31:09 AM com.thinkingstone.console.web.DispatcherServlet service SEVERE: Error processing web application request. javax.servlet.ServletException at com.thinkingstone.console.web.DispatcherServlet.service(Unknown Source) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:427) at org.mortbay.jetty.servlet.ServletHandler.dispatch(ServletHandler.java:666) at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:568) at org.mortbay.http.HttpContext.handle(HttpContext.java:1565) at org.mortbay.http.HttpContext.handle(HttpContext.java:1517) at org.mortbay.http.HttpServer.service(HttpServer.java:954) at org.mortbay.http.HttpConnection.service(HttpConnection.java:816) at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:983) at org.mortbay.http.HttpConnection.handle(HttpConnection.java:833) at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244) at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:357) at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534) -----Original Message----- From: Ivan Ristic [mailto:iva...@gm...] Sent: Friday, January 11, 2008 11:11 AM To: Vladimir Hrusca Cc: mod...@li... Subject: Re: [mod-security-users] modsecurity console report There should be an error message in the debug log to tell you what went wrong... On Jan 10, 2008 9:53 PM, Vladimir Hrusca <ad...@oi...> wrote: > > Hello, > > Trying to generate a report on demand (modsec console) for past day. Always > receiving as result error 500 "internal server error". Where may be a > problem? > > > > Best regards, > > Vladimir Hrusca > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > -- Ivan Ristic |
|
From: Ivan R. <iva...@gm...> - 2008-01-11 10:50:19
|
There is more than that. Send the entire file to me privately and I'll have a look. On Jan 11, 2008 10:47 AM, Vladimir Hrusca <ad...@oi...> wrote: > It is: > > Jan 11, 2008 11:31:09 AM com.thinkingstone.console.web.DispatcherServlet > service > SEVERE: Error processing web application request. > javax.servlet.ServletException > at com.thinkingstone.console.web.DispatcherServlet.service(Unknown > Source) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) > at > org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:427) > at > org.mortbay.jetty.servlet.ServletHandler.dispatch(ServletHandler.java:666) > at > org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:568) > at org.mortbay.http.HttpContext.handle(HttpContext.java:1565) > at org.mortbay.http.HttpContext.handle(HttpContext.java:1517) > at org.mortbay.http.HttpServer.service(HttpServer.java:954) > at org.mortbay.http.HttpConnection.service(HttpConnection.java:816) > at > org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:983) > at org.mortbay.http.HttpConnection.handle(HttpConnection.java:833) > at > org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244) > at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:357) > at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534) > > > -----Original Message----- > From: Ivan Ristic [mailto:iva...@gm...] > Sent: Friday, January 11, 2008 11:11 AM > To: Vladimir Hrusca > Cc: mod...@li... > Subject: Re: [mod-security-users] modsecurity console report > > There should be an error message in the debug log to tell you what went > wrong... > > On Jan 10, 2008 9:53 PM, Vladimir Hrusca <ad...@oi...> wrote: > > > > Hello, > > > > Trying to generate a report on demand (modsec console) for past day. > Always > > receiving as result error 500 "internal server error". Where may be a > > problem? > > > > > > > > Best regards, > > > > Vladimir Hrusca > > ------------------------------------------------------------------------- > > Check out the new SourceForge.net Marketplace. > > It's the best place to buy or sell services for > > just about anything Open Source. > > > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > -- > Ivan Ristic > > -- Ivan Ristic |
|
From: Ivan R. <iva...@gm...> - 2008-01-11 14:03:21
|
On Jan 11, 2008 1:21 PM, Vladimir Hrusca <ad...@oi...> wrote: > This is centos system, technically is redhat. Their Java implementation is not complete and that's why you are experiencing problems. If you download one of the Sun's recent JREs your problems are likely to go away. > Version is 1.4.2 > > -----Original Message----- > From: Ivan Ristic [mailto:iva...@gm...] > > Sent: Friday, January 11, 2008 12:04 PM > To: Vladimir Hrusca > Subject: Re: [mod-security-users] modsecurity console report > > The error is: > > SEVERE: InvocationTargetExeption > java.lang.NoClassDefFoundError > at org.jfree.chart.ChartFactory.createPieChart(ChartFactory.java:228) > > Are you running the Console under RedHat's Java implementation? If > not, what is the JRE/JDK you are using? > > > On Jan 11, 2008 10:59 AM, Vladimir Hrusca <ad...@oi...> wrote: > > Here we are. > > > > -----Original Message----- > > From: Ivan Ristic [mailto:iva...@gm...] > > > > Sent: Friday, January 11, 2008 11:50 AM > > To: Vladimir Hrusca > > Cc: mod...@li... > > Subject: Re: [mod-security-users] modsecurity console report > > > > There is more than that. Send the entire file to me privately and I'll > > have a look. > > > > On Jan 11, 2008 10:47 AM, Vladimir Hrusca <ad...@oi...> wrote: > > > It is: > > > > > > Jan 11, 2008 11:31:09 AM com.thinkingstone.console.web.DispatcherServlet > > > service > > > SEVERE: Error processing web application request. > > > javax.servlet.ServletException > > > at > com.thinkingstone.console.web.DispatcherServlet.service(Unknown > > > Source) > > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) > > > at > > > org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:427) > > > at > > > > org.mortbay.jetty.servlet.ServletHandler.dispatch(ServletHandler.java:666) > > > at > > > org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:568) > > > at org.mortbay.http.HttpContext.handle(HttpContext.java:1565) > > > at org.mortbay.http.HttpContext.handle(HttpContext.java:1517) > > > at org.mortbay.http.HttpServer.service(HttpServer.java:954) > > > at > > org.mortbay.http.HttpConnection.service(HttpConnection.java:816) > > > at > > > org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:983) > > > at > org.mortbay.http.HttpConnection.handle(HttpConnection.java:833) > > > at > > > > org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244) > > > at > org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:357) > > > at > org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534) > > > > > > > > > -----Original Message----- > > > From: Ivan Ristic [mailto:iva...@gm...] > > > Sent: Friday, January 11, 2008 11:11 AM > > > To: Vladimir Hrusca > > > Cc: mod...@li... > > > Subject: Re: [mod-security-users] modsecurity console report > > > > > > There should be an error message in the debug log to tell you what went > > > wrong... > > > > > > On Jan 10, 2008 9:53 PM, Vladimir Hrusca <ad...@oi...> wrote: > > > > > > > > Hello, > > > > > > > > Trying to generate a report on demand (modsec console) for past day. > > > Always > > > > receiving as result error 500 "internal server error". Where may be a > > > > problem? > > > > > > > > > > > > > > > > Best regards, > > > > > > > > Vladimir Hrusca > > > > > > ------------------------------------------------------------------------- > > > > Check out the new SourceForge.net Marketplace. > > > > It's the best place to buy or sell services for > > > > just about anything Open Source. > > > > > > > > > > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > > > > > > > > > > > > -- > > > Ivan Ristic > > > > > > > > > > > > > > -- > > Ivan Ristic > > > > > > -- > Ivan Ristic > > -- Ivan Ristic |
|
From: Vladimir H. <ad...@oi...> - 2008-01-11 14:43:58
|
Thank you very much. Problem is solved. -----Original Message----- From: Ivan Ristic [mailto:iva...@gm...] Sent: Friday, January 11, 2008 3:03 PM To: Vladimir Hrusca Cc: mod...@li... Subject: Re: [mod-security-users] modsecurity console report On Jan 11, 2008 1:21 PM, Vladimir Hrusca <ad...@oi...> wrote: > This is centos system, technically is redhat. Their Java implementation is not complete and that's why you are experiencing problems. If you download one of the Sun's recent JREs your problems are likely to go away. > Version is 1.4.2 > > -----Original Message----- > From: Ivan Ristic [mailto:iva...@gm...] > > Sent: Friday, January 11, 2008 12:04 PM > To: Vladimir Hrusca > Subject: Re: [mod-security-users] modsecurity console report > > The error is: > > SEVERE: InvocationTargetExeption > java.lang.NoClassDefFoundError > at org.jfree.chart.ChartFactory.createPieChart(ChartFactory.java:228) > > Are you running the Console under RedHat's Java implementation? If > not, what is the JRE/JDK you are using? > > > On Jan 11, 2008 10:59 AM, Vladimir Hrusca <ad...@oi...> wrote: > > Here we are. > > > > -----Original Message----- > > From: Ivan Ristic [mailto:iva...@gm...] > > > > Sent: Friday, January 11, 2008 11:50 AM > > To: Vladimir Hrusca > > Cc: mod...@li... > > Subject: Re: [mod-security-users] modsecurity console report > > > > There is more than that. Send the entire file to me privately and I'll > > have a look. > > > > On Jan 11, 2008 10:47 AM, Vladimir Hrusca <ad...@oi...> wrote: > > > It is: > > > > > > Jan 11, 2008 11:31:09 AM com.thinkingstone.console.web.DispatcherServlet > > > service > > > SEVERE: Error processing web application request. > > > javax.servlet.ServletException > > > at > com.thinkingstone.console.web.DispatcherServlet.service(Unknown > > > Source) > > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) > > > at > > > org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:427) > > > at > > > > org.mortbay.jetty.servlet.ServletHandler.dispatch(ServletHandler.java:666) > > > at > > > org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:568) > > > at org.mortbay.http.HttpContext.handle(HttpContext.java:1565) > > > at org.mortbay.http.HttpContext.handle(HttpContext.java:1517) > > > at org.mortbay.http.HttpServer.service(HttpServer.java:954) > > > at > > org.mortbay.http.HttpConnection.service(HttpConnection.java:816) > > > at > > > org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:983) > > > at > org.mortbay.http.HttpConnection.handle(HttpConnection.java:833) > > > at > > > > org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244) > > > at > org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:357) > > > at > org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534) > > > > > > > > > -----Original Message----- > > > From: Ivan Ristic [mailto:iva...@gm...] > > > Sent: Friday, January 11, 2008 11:11 AM > > > To: Vladimir Hrusca > > > Cc: mod...@li... > > > Subject: Re: [mod-security-users] modsecurity console report > > > > > > There should be an error message in the debug log to tell you what went > > > wrong... > > > > > > On Jan 10, 2008 9:53 PM, Vladimir Hrusca <ad...@oi...> wrote: > > > > > > > > Hello, > > > > > > > > Trying to generate a report on demand (modsec console) for past day. > > > Always > > > > receiving as result error 500 "internal server error". Where may be a > > > > problem? > > > > > > > > > > > > > > > > Best regards, > > > > > > > > Vladimir Hrusca > > > > > > ------------------------------------------------------------------------- > > > > Check out the new SourceForge.net Marketplace. > > > > It's the best place to buy or sell services for > > > > just about anything Open Source. > > > > > > > > > > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > > > > > > > > > > > > > > -- > > > Ivan Ristic > > > > > > > > > > > > > > -- > > Ivan Ristic > > > > > > -- > Ivan Ristic > > -- Ivan Ristic |
