lua over myproxy

I use a couple blacklists on my firewall. One is perpetual, and one is dynamic
and temporary. Multiple programs add to the dynamic table; the other is manual.

I currently still use blacklist-webclient but hacked it to talk directly to
shorewall rather than blacklist.pl, which I ditched. Actually works flawlessly.

Shorewall adds a rule to the "dynamic" table and I run a cron task every two
hours that removes the oldest (1)entry from the list. No threat from DOS here.

I am always upgrading and altering my systems, and I can see some prospects now
that I have this Lua game going in modsec.

Can't I do the same blacklist thing with lua, and forget blacklist-webclient?
If possible it would be a good to add a example script to the dist with this in
mind as it would be very useful.

Yes/no/maybe/haha/vomit?

Marty B.
--

-- 
Electile Dysfunction : the inability to become aroused over any of the
choices for President put forth by either party in the 2008 election.

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08

Disabling rules for one argument

Hello,

I have a rule like
    SecRule ARGS "bad pattern" "id:10000,..."
and I'd like to disable it for one specific argument

I tried
    SecRule ARGS:name  "phase:2,t:none,allow,nolog,ctl:ruleRemoveById=10000"

but it doesn't work

Any idea ?

Thanks,

Nick

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08

Re: problem with my regex and single line HTMLcomment in RESPONSE_BODY

Hi,

I'm a little embarrassed about yesterday's outburst - I guess reading
debug files for so long made me a little nutso.

Ivan, back to your idea of a ModSecurity console...

I think a large part of my frustration (besides sucking at writing
regex's  comes from having to modify the .conf file, restart
Apache, run a test case, then wade through the debug log file just to
see if it worked or not.

In a couple of weeks after I've hit the 50% project completion
milestone and I compile and install 2.5.5, I'll look more closely at
the C functions in msc_pcre.c. Perhaps it won't be too difficult to
write a C program that can call those directly or call the function
calls that ModSecurity calls.

For now I would be happy with just a shell command line interface
where I can input the regex, then proceed by entering different
strings and knowing if they match or not.

I am writing many WebGoat sublesson-specific regex's and this would
save me a lot of time I believe.

Cheers,
Stephen

On Fri, Jul 4, 2008 at 8:55 AM, Ivan Ristic <ivanr <at> webkreator.com> wrote:
> Achim Hoffmann wrote:

lua

I am in the process of beta testing snort 3 and I needed to install LUA.
With a little practice I will be able to do things with that language.

Because I have it...How is LUA interfaced with the mod security API?
I didn't find that info in the docs but am willing to give it a shot on my
installs.
I am professional at breaking things:) I just need a bit of direction and I will
be having lotsa fun. Will somebody clue me, please?.

Thanks,

Marty B.

--

-- 
Electile Dysfunction : the inability to become aroused over any of the
choices for President put forth by either party in the 2008 election.

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Aritchecture

Hi,

Anyone can share about the setup of mod_security in your applications.

Current we have,

User <==> LVS (x2) <==> Squid (x3) <==> Apache/ PHP (x6) <==> MySQL

We are considering..

1. install one dedicated after Squid for centralized filtering, but
this is single point of failure and might be the bottom neck.
2. install mod_sec at each Apache

What do you think?

Thanks.

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08

Re: problem with my regex and single line HTMLcomment in RESPONSE_BODY

Hi Achim,

Pardon me if my rant is off-topic, but this seems to be a good place
for it for me now.

In the 60+ hours in the last 5 days that I have spent writing
ModSecurity rules for WebGoat vulnerabilities, more than half of that
time has been spent on getting the regex's working. I am so tired of
reading the debug file to see how my regex is being interpreted.

I feel like I am a slave to the PCRE engine instead of the opposite.

It's not rocket science:
1. I want an account number that has digits, characters and a hyphen,
but no spaces or special characters.
2. I want a password that has alphanumeric and special chars, but has
no spaces or '>' and '<'.
3. I want a user name with chars, ', -, and spaces but nothing else.

I could do this much easier and faster writing Java, C#, or C (which
is why ModSecurity is written in C; check the source for
urlDecodeUni).

I'm at the point where I think it's easier to write my own routines in
Lua and build my own library for reuse; disclaimer: I don't need
speed.

(/end of rant)

Stephen

protecting rotating numbers in a URL

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Visualization of the core-rules

Hi,

I just wrote a little parser for reading the core-rules files into an  
XML-format that can be used in a flexible way and came to the idea to  
transform the XML into HTML for having a nice "visualization" of the  
core-rules within your browser.

The result is a parser which does

     core-rules-x.y.z.tar.gz --> XML*

and a small XSLT stylesheet, which can be used for

     XML* -->  HTML

This will end up in the whole core-rules being displayed as a single  
web-page.
My intention to do this was basically to have a view on the core-rules  
which reassembles the rule-processing flow as closely as possible to  
that of the rule-engine of ModSecurity.

Thus, the rules are sorted by phases, and within the phases by the  
location within the "global ruleview", i.e. in the same order they  
should be processed by ModSecurity. Chained rules are also glued  
together and displayed as "nested rules".

Of course, meta-information like the rule-id, rule-location within the  
core-rules is also preserved and displayed. The resulting view is a  
single-page html and easily lets you search using you browsers built- 
in "search"-function.

If you want to have a look at it, you can find this small side-project  
at

	http://www.jwall.org/core-rules/

If you find any bugs (i.e. things that are wrongly ordered, etc.) or  
have more ideas on how to visualize things a little better, then just  
let me know. Of course, any feedback about helpfulness and the like is  
also welcome 

Regards,
    Christian

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08

Re: the @pm operator inmodsecurity_crs_40_generic_attacks.conf

It is important to understand the value/purpose that the set-based matching operator brings - speed.  It is
much faster that the regex operator (especially when the data it is inspecting is very large).  With this
being said, you also need to realiaze its shortcoming - decreased logic.  It is simply a text string matcher
and does not have the advaced logic of a regex.

What we chose to do with the core rule set was to use the set-based matching operator as a "pre-qualifier"
before running the more expensive regex checks.  The @pm check casts a wide net to see if the data even has a
chance of matching (as your example shows) and then the regex check would do further analysis (such as
apply word boudary checks) to both rule out this false positive and confirm attack payloads with
increased logic.

Hope this helps.

Thanks,
Ryan C. Barnett 

----- Original Message -----
From: mod-security-users-bounces <at> lists.sourceforge.net <mod-security-users-bounces <at> lists.sourceforge.net>
To: mod-security-users <at> lists.sourceforge.net <mod-security-users <at> lists.sourceforge.net>
Sent: Tue Jul 01 23:24:59 2008
Subject: [mod-security-users] the @pm operator inmodsecurity_crs_40_generic_attacks.conf

Hi,

Is there any way to get the @pm operator to match only whole words?

I am using the Command Injection rule in
modsecurity_crs_40_generic_attacks.conf and it seems there should be a
better way.
SecRule ARGS "@pm ping id rm ..." ""t:htmlEntityDecode,t:lowercase..." matches:

Content-Type: application/x-www-form-urlencoded
Name=Sid
Destination=shipping

Or am I doing something wrong? The reference manual
(modsecurity2-apache-reference.pdf) infers that it's a word match.

TIA (Thanks In Advance),
Stephen

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08

testing the ASCIIZ vulnerability test

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

the @pm operator in modsecurity_crs_40_generic_attacks.conf

Hi,

Is there any way to get the @pm operator to match only whole words?

I am using the Command Injection rule in
modsecurity_crs_40_generic_attacks.conf and it seems there should be a
better way.
SecRule ARGS "@pm ping id rm ..." ""t:htmlEntityDecode,t:lowercase..." matches:

Content-Type: application/x-www-form-urlencoded
Name=Sid
Destination=shipping

Or am I doing something wrong? The reference manual
(modsecurity2-apache-reference.pdf) infers that it's a word match.

TIA (Thanks In Advance),
Stephen

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08