Re: Lackings in mod security

On 9/15/06, Ryan Barnett <rcbarnett@xxxxxxxxx> wrote:
>
> On 9/14/06, donnydark <donnydark@xxxxxxxxx> wrote:
> > Hello abakash,
> >
> > modsecurity is SEVERELY lacking in documentation and support.

Wow, you seem pretty passionate about that.  I think I am equally --
well maybe not quite -- as passionate about the opposite.

> I actually think that the documentation is pretty good
> (http://www.modsecurity.org/documentation/index.html).  I
> refer to it quite often when I forget the exact syntax on something.  The
> ModSecurity Blog also provides great info on an on-going basis.  So I guess
> "severely" is subjective.  As far as support goes, my personal experience is
> that Ivan is normally extremely responsive to questions and issues posed to
> this list.  There are also other list members who often provide responses.
> Some of the problems stem for posters not searching the mail archive to see
> if their question has already been answered many, many times in the past.

I'll second what Ryan states here.  It is getting increasingly rare
these days for developers of apps to support end users as well as Ivan
does.  I think Ivan and the rest of this list provide considerable
help to users that ask questions beyond "hey, tell me how to do this
because I don't want to bother to find/read the documentation."
Normally even questions like that and ones that are obviously answered
in the docs are answered on the list (sometimes many times over
again).

> > i wrote the author and this mailing list asking for even a single rule
> > example to be answered and was pretty much ignored.
>
> I would venture to guess that your experience is an exception and not the
> rule.

The only questions that appear to get purposefully ignored -- and this
is rare -- are those that are demanding and rude.  I don't remember
seeing your question and don't see it with a quick search through the
archive either.  Perhaps your question slipped through the cracks and
maybe you should have explained this and asked it again?

Remember this list is *not* contractually obligated to answer *any*
questions.  If you want that, then *pay* for support and/or *pay* for
consulting and/or some training:

http://www.thinkingstone.com/
http://www.sans.org/training/description.php?tid=454

> > what should be done is a series of real world examples on how to lock
> > down certain web scripts so that ONLY specific ranges of input data
> > are allowed and everything else is denied.

Excellent idea!  However, what you are proposing is not trivial for
real-world apps.  It is difficult and quite time consuming to do well
and is *never* foolproof.  I would concentrate on the *how* and not
the actual configuration.  In other words, teach the *process* of
locking down the app, not necessarily just how to use modsecurity
directives.

> > here's a project: write a complete modsecurity configuration that
> > allows a rather complex web software its full range of function but
> > yet ONLY allows expected functions and everything else is rejected.
> >
> > you could pick something like a popular cms or web forum software.
>
> There are many 3rd party articles that are referenced from the Documentation
> page that provided the exact type of examples you are looking for.  Here are
> 2 that I would recommend as they provide an excellent walk-thru of creating
> whitelisting/positive security filters for a web services app -
>
> Securing Web Services with ModSecurity -
> http://www.onlamp.com/pub/a/onlamp/2005/06/09/wss_security.html
> http://www.infosecwriters.com/text_resources/pdf/Defending-web-services.pdf
>
> Here is a link to chapter 7 of my book, which you might find useful -
> http://www.awprofessional.com/articles/article.asp?p=442984

Which brings me to my last point.  Many of the people who wrote these
guides, articles and books are actually *on* this list (*wink*) and
more than willing to help you out if *you* are willing to ask in a
professional manner.

-B

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642