gmane.comp.apache.mod-security.user

Re: Fwd: Slight Issue installing mod_security

Joel Joyner — 2008-05-09T17:57:49

Thanks ... I don't think I need Lua so I'm just going to skip it and see how things go. So far so good. --------------------------------------------------------- Joel Joyner Systems Administrator Uniserve Communications Corp. www.uniserve.com Providing quality internet and communications services to over 250,000 customers. --------------------------------------------------------- ----- Original Message ----- From: "Brian Rectanus" breach.com> To: "Joel Joyner" uniserveteam.com> Cc: support< at >modsecurity.org, mod-security-users< at >lists.sourceforge.net Sent: Thursday, May 8, 2008 3:01:44 PM (GMT-0800) America/Los_Angeles Subject: Re: [mod-security-users] Fwd: Slight Issue installing mod_security Changed for the next release (2.5.5)... Optionally install the latest version of Lua in the 5.1.x branch, if it isn't already installed on the server and you will be using the new Lua engine. http://www.lua.org/download.html Note that ModSecurity requires the dynamic libraries.

Re: Forcing clients to enable cookies?

Brian Rectanus — 2008-05-09T16:59:43

ModSecurity cannot add cookies, so you would have to use mod_rewrite. Conceptually you are correct, but it is not quite that easy because you need to avoid a potential infinite loop of redirects if the browser does not support cookies (ie you set a cookie and redirect, then there is no cookie, so you repeat). You have to redirect to a cookie test URI, then if it is the cookie test URI, check for a cookie and then redirect back to the correct URI. Something like this (untested, but should give you some ideas): ### Check for a cookie + cookie test URI RewriteCond %{HTTP_COOKIE} "!^$" # Redirect back to the original page RewriteRule ^/your/cookie/test/uri/(.*) $1 [R,L] ### Check for no cookie + cookie test URI RewriteCond %{HTTP_COOKIE} "^$" # Change the URI (internal redirect) to the error page RewriteRule ^/your/cookie/test/uri/.* /no/cookie/error/page [L] ### No cookie on the entry page RewriteCond %{HTTP_COOKIE} "^$" # Set a flag stating no cookie RewriteRule ^/your/entry/page - [E=checkcookie:1] ###

Re: Header sanitization

Brian Rectanus — 2008-05-09T15:55:58

Th setuid action is what sets USERID, so it is empty to begin with. You want REMOTE_USER: SecRule REMOTE_USER "." pass,nolog,setuid:%{REMOTE_USER} Or you need to parse out the user and put it in TX.1 or similar via capture. -B Nick Gearls wrote:

Re: ModSecurity and WAFEC

Przemyslaw Skowron — 2008-05-09T11:50:33

When can I expect the new version WAFEC (v2)? Before September? I start work on a thesis work, where search the mod_security compliance with WAFEC. I would like to resist the latest of these studies document - WAFECv2, not WAFEC. Best Regards,

Re: Forcing clients to enable cookies?

Stefan Müller-Wilken — 2008-05-09T10:14:26

Thanks, Mike, for the prompt answer. But aren't things a little different here? You restrict your blocking rules to POST requests, thus giving the browser a chance to pick up a cookie before forcing out requests without cookies. In my case I can't do that because I don't know if applications use POSTs at all. I have to act on any kind of HTTP request. What I think I need is a way to set cookies on requests (okay, easy) and then somehow identify subsequent requests to check if the cookie is still there and act accordingly. And I don't know how to identify those subsequent requests... Cheers Stefan. Resco GmbH Geschäftsführer: Michael Mörchen Amtsgericht Hamburg, HRB 76048 Ust.Ident-Nr.:DE208833022 Haftungsausschluss: Diese Nachricht ist ausschließlich für die Person oder Einheit bestimmt, an die sie gerichtet ist. Sie enthält unter Umständen Informationen, die unter geltendem Recht vertraulich, gesetzlich geschützt oder von der Offenlegung ausgeschlossen sind. Falls Sie nicht der vorgesehene Em

Re: Forcing clients to enable cookies?

Michael Renzmann — 2008-05-09T09:37:35

Hi. Well, in ScallyWhack I have some rules to block POST requests from clients that have either no or not the right cookies set (see [1]); this has proofed as a good way to block spam bots from Trac-driven sites. So yes, basically it is possible to use mod-security for this purpose. Bye, Mike [1] http://projects.otaku42.de/browser/scallywhack/trunk/modsecurity_sw_20_tracspam.conf#L35 ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Forcing clients to enable cookies?

Stefan Müller-Wilken — 2008-05-09T09:27:38

Dear all, one of my customers has introduced a security policy by which all web applications have to do their session handling via cookies. Rather than doing the boilerplate code in all web apps I'd like to check in only one place if client browsers allow cookies and send them to an error page if not. Is there a way to use mod_security to do the trick? Or would I be better off using mod_rewrite instead? Conceptionally I would have set a cookie, force a reload, and on the next access, see if the cookie is still there, right? But how can I do that? Would be great if someone could give me an idea! Cheers Stefan. Resco GmbH Geschäftsführer: Michael Mörchen Amtsgericht Hamburg, HRB 76048 Ust.Ident-Nr.:DE208833022 Haftungsausschluss: Diese Nachricht ist ausschließlich für die Person oder Einheit bestimmt, an die sie gerichtet ist. Sie enthält unter Umständen Informationen, die unter geltendem Recht vertraulich, gesetzlich geschützt oder von der Offenlegung ausgeschlossen sind. Falls Sie nicht der vo

Re: Header sanitization

Nick Gearls — 2008-05-09T06:33:29

I tried the following, but it doesn't work SecRule USERID "." pass,nolog,setuid:%{USERID} I also tried # Set userid again into session SecRule SESSION:user "." pass,setuid:%{SESSION.user},log ... # Save userid into session SecRule USERID "." pass,log,setvar:SESSION.user=%{USERID} And even # Set userid again into session SecRule SESSION:user "." pass,setuid:%{SESSION.user},log # Add Basic Authentication userid to logs SecRule REQUEST_HEADERS:Authorization "^Basic\s(.*)$" \ "phase:1,chain,t:none,capture,nolog,pass" SecRule TX:1 "^(.*)$" \ "chain,t:none,t:base64Decode,capture" SecRule TX:1 "^([^:]+)" \ "t:none,capture,setuid:%{TX.1},setvar:SESSION.user=%{TX.1}" no way to get the userid remembered. I assume I missed something !?! Thanks, Nick Ivan Ristic wrote: ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting

Re: Fwd: Slight Issue installing mod_security

William Salusky — 2008-05-09T02:56:43

------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone_______________________________________________ mod-security-users mailing list mod-security-users< at >lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: Fwd: Slight Issue installing mod_security

Brian Rectanus — 2008-05-08T22:01:44

Changed for the next release (2.5.5)... Optionally install the latest version of Lua in the 5.1.x branch, if it isn't already installed on the server and you will be using the new Lua engine. http://www.lua.org/download.html Note that ModSecurity requires the dynamic libraries. These are not built by default in the source distribution, so the binary distribution is recommended. Thanks, -B Joel Joyner wrote:

ModSecurity 2.5 Phrase Match OperatorPerformance

Brian Rectanus — 2008-05-08T21:41:54

I just posted a blog showing the performance differences between < at >rx, optimized < at >rx and the < at >pm operator. Worth a read if you are trying to match a list of static phrases. http://blog.modsecurity.org/ -B

Re: ModSecurity 2.5.4 Released

Brian Rectanus — 2008-05-08T19:44:29

I just wanted to clarify that the workarounds were *either* 1 *or* 2 and both are not required. thanks, -B

Re: Fwd: Slight Issue installing mod_security

Joel Joyner — 2008-05-08T19:44:39

The instructions at http://www.modsecurity.org/documentation/modsecurity-apache/2.5.2/html-multipage/installation.html state: 4. Install the latest version of Lua in the 5.1.x branch, if it isn't already installed on the server. http://www.lua.org/download.html If this step is optional, can this page be modified to indicate that? It would be helpful for us newbies :-) . Thanks. ----- Original Message ----- From: "Brian Rectanus" breach.com> To: "Joel Joyner" uniserveteam.com> Cc: mod-security-users< at >lists.sourceforge.net Sent: Wednesday, May 7, 2008 1:38:54 PM (GMT-0800) America/Los_Angeles Subject: Re: [mod-security-users] Fwd: Slight Issue installing mod_security The Lua source does not build shared libraries (/usr/lib/liblua5.1.so), but only static libs (/usr/lib/liblua5.1.a). ModSecurity requires the shared libraries. If you do want Lua support (you do not unless you are going to write Lua rules yourself). Then you need to install the binaries from the Lua site, or b

ModSecurity 2.5.4 Released

Brian Rectanus — 2008-05-08T16:48:13

Hello all, ModSecurity 2.5.4 was released. This fixes a problem with transformation caching in ModSecurity 2.5 through version 2.5.3. Transformation Caching Issue Details: If you are using a transformation in SecDefaultAction and t:none in a rule, then there is the potential for the rule to use the wrong cached value (the default transformation value), possibly resulting in a false negative (no match). The Core Rules v1.6 do not require a default transformation, but there is a potential for a false negative if a default transformation is defined. Upgrading to 2.5.4 is encouraged, however, workarounds are available until an upgrade is possible. Workarounds for Transformation Caching Issue in 2.5.0-2.5.3: 1) (recommended) Disable transformation caching until you can upgrade to 2.5.4 with: SecCacheTransformations Off 2) Remove any default transformations in SecDefaultAction if other rules are not depending on them. Packages can be downloaded from modsecurity.org as always. -B

Rule-Syntax for multiple Checks ?

Dirk Caspari — 2008-05-08T13:48:56

Hello, I need help to create a positive Rule (allow) with multiple Checks. All the "CHAIN" examples I found, was only with ONE additional Check. How can I work with multiple Checks in one Rule? I want to ALLOW this REQUEST => if the URL and the Parameter-Syntax are correct ! Examples: https://XXXXXXX.XXXXXXX.de/eddfue/getMT940?berater=3 or https://XXXXXXX.XXXXXXX.de/eddfue/getMT940?berater=3&from=2008-05-05 or https://XXXXXXX.XXXXXXX.de/eddfue/getMT940?from=2008-05-05 . . I've configured something like this (!!! but it don't work !!!) SecRule REQUEST_URI "^/eddfue/(get|list)MT940" "phase:2,chain,allow,msg:'VALID URL',id:'ed-15-004',severity:'7'" SecRule ARGS_GET:from "^\d{4}-\d{2}-\d{2}$" "chain" SecRule ARGS_GET:berater "^\d+$" "chain" SecRule ARGS_GET:to "^\d{4}-\d{2}-\d{2}$" What's wrong ? ModSecurity Version: 2.5.2 Thanks D I R K ------------------------------------------------------------------------- This SF.net email is sponsored by t

how to filter

Fred Zandvliet — 2008-05-08T13:30:02

Hi, I'm Fred (Netherlands) and i have just installed version 1.9.3, i am not familair with modsecurity and i have this problem: I want to filter out a string only if the ip-address is coming from the outsite. I mean every ip-address that not begins with 192.168.*.* Somthing like this: if ip-address is not 192.168.*.* then SecFilter "abc123" redirect www.google.com Is this possible and can someone help me with this? Greetings, Fred Zandvliet Netherlands ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Re: Header sanitization

Ivan Ristic — 2008-05-08T10:12:40

Yes, you store it in the session storage, then, on every request, you take the username from the session storage and run it against setuid. Although this too is something I would expect ModSecurity to do automatically. Adding another ticket. (Keep those requests coming!) On Thu, May 8, 2008 at 11:03 AM, Nick Gearls gmail.com> wrote:

Re: Header sanitization

Nick Gearls — 2008-05-08T10:03:13

Would be great to be able to add a username from a HTML form also (with a specific directive obviously), as many applications do not use basic auth. I did this - with a similar trick - but it is lost on the next request, although I registered the session id. Any idea to remember the userid from the session ? Ivan Ristic wrote: ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Re: Header sanitization

Ivan Ristic — 2008-05-08T08:21:36

Actually, I think the username)is relevant information that needs to be recorded in the audit log automatically. I'll open a ticket for it. On Thu, May 8, 2008 at 8:58 AM, Nick Gearls gmail.com> wrote:

Re: Header sanitization

Nick Gearls — 2008-05-08T07:58:45

That's great, although the syntax is a bit more complex: # Add Basic Authentication userid to logs SecRule REQUEST_HEADERS:Authorization "^Basic\s(.*)$" \ "phase:1,chain,t:none,capture,nolog,pass" SecRule TX:1 "^(.*)$" \ "chain,t:none,t:base64Decode,capture" SecRule TX:1 "^([^:]+)" \ "t:none,capture,setuid:%{TX.1}" Thanks, Nick Brian Rectanus wrote: ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Re: Fwd: Slight Issue installing mod_security

Brian Rectanus — 2008-05-07T20:38:54

The Lua source does not build shared libraries (/usr/lib/liblua5.1.so), but only static libs (/usr/lib/liblua5.1.a). ModSecurity requires the shared libraries. If you do want Lua support (you do not unless you are going to write Lua rules yourself). Then you need to install the binaries from the Lua site, or build the Lua shared libs yourself. You can do this to build the shared libs: http://sourceforge.net/mailarchive/message.php?msg_id=47E2E3FC.3060307%40breach.com -B Joel Joyner wrote: