headers
Roman Medina-Heigl Hernandez | 4 Apr 13:34

Rules database

Hi,

I'm interested in protecting webapps in a "generic way" (more or less
:-)), which means that if I choose to install a PHP-Nuke portal and a
new SQL injection bug in that portal is disclosed, it will not be
exploitable (the code would still be buggy until patching, but that's
unavoidable). Of course, the idea is to catch the more kind of bugs
being possible (not only SQL injection, but directory traversal, remote
PHP script injection, shell injection, etc).

I visited:
http://www.modsecurity.org/db/rules/
But I got a bit disappointed when I saw only 4 rules :-(. The db seems
to be discontinued... ?

I'm wondering whether:
1) There are other "repositories" for mod-security rules, or
2) Some of you, security-specialists, would be kind enough to share the
rules you have, ideas, etc.

Other repositories (not direcly related to Mod-security but perhaps
easily "convertible" to; for instance, rules from other IPS devices) may
also be interesting.

Hope hearing from you, guys :-)

Kind regards,
-Román

-------------------------------------------------------
(Continue reading)

Permalink | Reply |
headers
Christian Martorella | 4 Apr 16:27

Re: Rules database

Hi Roman:
When i tried the modsecurity, i used a script to convert snort rules to 
modsecurity rules, maybe you could do that to initialize your rules 
database, and then optimize the set of rules.

Here is the link:
http://www.modsecurity.org/documentation/converted-snort-rules.html

Cheers
Christian Martorella

Roman Medina-Heigl Hernandez wrote:

>Hi,
>
>I'm interested in protecting webapps in a "generic way" (more or less
>:-)), which means that if I choose to install a PHP-Nuke portal and a
>new SQL injection bug in that portal is disclosed, it will not be
>exploitable (the code would still be buggy until patching, but that's
>unavoidable). Of course, the idea is to catch the more kind of bugs
>being possible (not only SQL injection, but directory traversal, remote
>PHP script injection, shell injection, etc).
>
>I visited:
>http://www.modsecurity.org/db/rules/
>But I got a bit disappointed when I saw only 4 rules :-(. The db seems
>to be discontinued... ?
>
>I'm wondering whether:
>1) There are other "repositories" for mod-security rules, or
(Continue reading)

Permalink | Reply |
headers
Javier Fernandez-Sanguino | 4 Apr 17:02

Re: Rules database

Christian Martorella wrote:

> Hi Roman:
> When i tried the modsecurity, i used a script to convert snort rules to 
> modsecurity rules, maybe you could do that to initialize your rules 
> database, and then optimize the set of rules.
> 

Unfortunately, that script does not work as expected and cleaning up 
is time consuming. I sent a patch to the list a while back that Ivan 
applied to the CVS, I would suggest you used 
http://cvs.sourceforge.net/viewcvs.py/mod-security/mod_security/util/ 
instead.

BTW, I also sent a while back (October last year [1]) a script to 
convert Nessus NASL plugins into modsecurity rules, it needs to be 
improved upon, but could also prove useful.

Regards

Javier

[1]Message-ID: <4181191E.8090309 <at> germinus.com>

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
(Continue reading)

Permalink | Reply |
headers
Ivan Ristic | 4 Apr 16:33
Gravatar

Re: Rules database

Roman Medina-Heigl Hernandez wrote:
> I visited:
> http://www.modsecurity.org/db/rules/
> But I got a bit disappointed when I saw only 4 rules :-(. The db seems
> to be discontinued... ?

   It never took off. At the last minute I decided a repository
   of rules that worked only in mod_security was not the best
   way forward. Instead, I designed the portable web application
   firewall rule format http://www.modsecurity.org/projects/wasprotect/.

   The plan is to implement a portable rule database in Q3 this year,
   with the support of other web application firewall vendors.

   To be honest, there was another reason - I spent eight months last
   year writing the book, so I didn't have time to do anything else.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
Permalink | Reply |
headers
Tom Anderson | 4 Apr 16:49
Favicon

Re: Rules database

----- Original Message ----- 
From: "Ivan Ristic" <ivanr <at> webkreator.com>
To: <mod-security-users <at> lists.sourceforge.net>
Sent: Monday, April 04, 2005 10:33 AM
Subject: Re: [mod-security-users] Rules database

> Roman Medina-Heigl Hernandez wrote:
>> I visited:
>> http://www.modsecurity.org/db/rules/
>> But I got a bit disappointed when I saw only 4 rules :-(. The db seems
>> to be discontinued... ?
>
>   It never took off. At the last minute I decided a repository
>   of rules that worked only in mod_security was not the best
>   way forward. Instead, I designed the portable web application
>   firewall rule format http://www.modsecurity.org/projects/wasprotect/.

OMG, that looks horrible!  Please don't make that the only accepted format. 
I hate dealing with completely useless markup which can just as easily be 
implied.  It just clutters up the configuration with non-info and bloats 
your file sizes.  The best thing about working in unix environments is that 
everything is kept short and sweet.  Human readability is key.

SecFilterSelective "ARG_open" ^sesame$    (38 chars)

vs

<rule operator="regex" arg="params['open']" value="^sesame$" />    (63 
chars)
(Continue reading)

Permalink | Reply |
headers
Ivan Ristic | 4 Apr 17:08
Gravatar

Re: Rules database

Tom Anderson wrote:
 >
>>   It never took off. At the last minute I decided a repository
>>   of rules that worked only in mod_security was not the best
>>   way forward. Instead, I designed the portable web application
>>   firewall rule format http://www.modsecurity.org/projects/wasprotect/.
> 
> OMG, that looks horrible!

   :)

   It will look even worse when a layer of meta-data is added to it.

> Please don't make that the only accepted 
> format.

   ModSecurity will support both formats in version 2, so don't
   worry.

> Human readability is key.

   I agree.

> XML is good for sharing rules between systems, but not for human 
> maintained configs.

   Again, I agree. The new XML-based format was designed just for
   that purpose (sharing between systems), hence the added
   complexity.
(Continue reading)

Permalink | Reply |
headers
Roman Medina-Heigl Hernandez | 4 Apr 17:11

Re: Rules database

Ivan Ristic wrote:
>   ModSecurity will support both formats in version 2, so don't
>   worry.

[...]

>   Again, I agree. The new XML-based format was designed just for
>   that purpose (sharing between systems), hence the added
>   complexity.

Then perhaps you'd not need to include support for ModSecurity. A simple
conversion tool (ensuring you can translate modsecurity format <-> XML
format) would suffice...

Regards,
-Román

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
Permalink | Reply |
headers
Ivan Ristic | 4 Apr 17:38
Gravatar

Re: Rules database

Roman Medina-Heigl Hernandez wrote:
> Ivan Ristic wrote:
> 
>>  ModSecurity will support both formats in version 2, so don't
>>  worry.
> 
> 
> [...]
> 
> 
>>  Again, I agree. The new XML-based format was designed just for
>>  that purpose (sharing between systems), hence the added
>>  complexity.
> 
> 
> Then perhaps you'd not need to include support for ModSecurity. A simple
> conversion tool (ensuring you can translate modsecurity format <-> XML
> format) would suffice...

   Perhaps. Right now the XML format can do a few things ModSecurity
   native cannot but I can probably rectify that in 2.0.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
(Continue reading)

Permalink | Reply |
headers
Alberto Gonzalez Iniesta | 4 Apr 14:35
Favicon

Re: Rules database

On Mon, Apr 04, 2005 at 01:34:30PM +0200, Roman Medina-Heigl Hernandez wrote:
> I'm wondering whether:
> 1) There are other "repositories" for mod-security rules, or

You can try at:
http://modsecrules.monkeydev.org/index.php
It's quite new, but growing fast.

Regards,

Alberto

--

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
Permalink | Reply |
headers
Gerwin Krist -|- Digitalus Webhosting | 4 Apr 15:43
Picon
Favicon

Re: Rules database


Hello Román,

You could try http://www.gotroot.com/downloads/ftp/mod_security/rules.conf
It has a LOT of rules.
Hope it's helpfull.

Gerwin

Roman Medina-Heigl Hernandez wrote:
| Hi,
|
| I'm interested in protecting webapps in a "generic way" (more or less
| :-)), which means that if I choose to install a PHP-Nuke portal and a
| new SQL injection bug in that portal is disclosed, it will not be
| exploitable (the code would still be buggy until patching, but that's
| unavoidable). Of course, the idea is to catch the more kind of bugs
| being possible (not only SQL injection, but directory traversal, remote
| PHP script injection, shell injection, etc).
|
| I visited:
| http://www.modsecurity.org/db/rules/
| But I got a bit disappointed when I saw only 4 rules :-(. The db seems
| to be discontinued... ?
|
| I'm wondering whether:
| 1) There are other "repositories" for mod-security rules, or
| 2) Some of you, security-specialists, would be kind enough to share the
| rules you have, ideas, etc.
|
(Continue reading)

Permalink | Reply |
headers
Roman Medina-Heigl Hernandez | 4 Apr 16:14

Re: Rules database

Gerwin Krist -|- Digitalus Webhosting wrote:

> You could try http://www.gotroot.com/downloads/ftp/mod_security/rules.conf

It looks nice. But it seems to be having problems in Apache 1.x
(according to the comments). Do you know if they've been fixed? I also
read one thread at gotroot.com but it didn't contain specific info about
the issue.

I still have to review the link provided by Alberto (my proxy doesn't
load it, I'll try again l8r).

Thanks to both, Gerwin & Alberto :-)

Regards,
-Román

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
Permalink | Reply |
headers
Michael Shinn | 8 Apr 23:09

Re: Rules database

On Mon, 2005-04-04 at 16:14 +0200, Roman Medina-Heigl Hernandez wrote:
> Gerwin Krist -|- Digitalus Webhosting wrote:
> 
> > You could try http://www.gotroot.com/downloads/ftp/mod_security/rules.conf
> 
> It looks nice. But it seems to be having problems in Apache 1.x
> (according to the comments). Do you know if they've been fixed? I also
> read one thread at gotroot.com but it didn't contain specific info about
> the issue.

Hi, I'm the author of those rules.  The rules that choke on apache 1.x
deal with my use of pcre regex'es while Apache 1.x apparently only
supports POSIX regex's.  The solution is that I need to convert all
those regex's to POSIX regex's for the legacy Apache 1.x systems.
Otherwise, the rules should work fine.  Its just a regex formating issue
for the two platforms.

> 
> I still have to review the link provided by Alberto (my proxy doesn't
> load it, I'll try again l8r).
> 
> Thanks to both, Gerwin & Alberto :-)
> 
> Regards,
> -Román
> 
> 
> 
> 
> -------------------------------------------------------
(Continue reading)

Permalink | Reply |
headers
Ivan Ristic | 11 Apr 11:16
Gravatar

Re: Rules database

Michael Shinn wrote:
> On Mon, 2005-04-04 at 16:14 +0200, Roman Medina-Heigl Hernandez wrote:
> 
>>Gerwin Krist -|- Digitalus Webhosting wrote:
>>
>>
>>>You could try http://www.gotroot.com/downloads/ftp/mod_security/rules.conf
>>
>>It looks nice. But it seems to be having problems in Apache 1.x
>>(according to the comments). Do you know if they've been fixed? I also
>>read one thread at gotroot.com but it didn't contain specific info about
>>the issue.
> 
> 
> Hi, I'm the author of those rules.  The rules that choke on apache 1.x
> deal with my use of pcre regex'es while Apache 1.x apparently only
> supports POSIX regex's.  The solution is that I need to convert all
> those regex's to POSIX regex's for the legacy Apache 1.x systems.
> Otherwise, the rules should work fine.

   If you could send me the translation algorithm, I could try and
   put it right into the Apache 1.x version, so the translation would
   happen at runtime with both versions supporting the same format?

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
(Continue reading)

Permalink | Reply |
headers
Michael Shinn | 17 Apr 17:40

Re: Rules database

On Mon, 2005-04-11 at 10:16 +0100, Ivan Ristic wrote:
> Michael Shinn wrote:
> > On Mon, 2005-04-04 at 16:14 +0200, Roman Medina-Heigl Hernandez wrote:
> > 
> >>Gerwin Krist -|- Digitalus Webhosting wrote:
> >>
> >>
> >>>You could try http://www.gotroot.com/downloads/ftp/mod_security/rules.conf
> >>
> >>It looks nice. But it seems to be having problems in Apache 1.x
> >>(according to the comments). Do you know if they've been fixed? I also
> >>read one thread at gotroot.com but it didn't contain specific info about
> >>the issue.
> > 
> > 
> > Hi, I'm the author of those rules.  The rules that choke on apache 1.x
> > deal with my use of pcre regex'es while Apache 1.x apparently only
> > supports POSIX regex's.  The solution is that I need to convert all
> > those regex's to POSIX regex's for the legacy Apache 1.x systems.
> > Otherwise, the rules should work fine.
> 
>    If you could send me the translation algorithm, I could try and
>    put it right into the Apache 1.x version, so the translation would
>    happen at runtime with both versions supporting the same format?

That would certainly be a much easier solution for me.  :-)

--

-- 
Michael T. Shinn                                    KeyID:370A4CAB
Key Fingerprint: 0057 437C D882 ECFF 716B 7BD6 6E3B F5BA 370A 4CAB
(Continue reading)

Permalink | Reply |

Gmane