Subject: Migration 1.x to 2.x - msg#00173

Previous Message by Date: click to view message preview

Re: rule blocking Wordpress administration

> -----Original Message----- > From: mod-security-users-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:mod- > security-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of bad_brain > Sent: Sunday, June 24, 2007 1:05 PM > To: mod-security-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: [mod-security-users] rule blocking Wordpress administration > > Ryan Barnett schrieb: > > >That rule is blocking due to the Content-Type not matching a positive > >policy rule. Take a look at your audit_log data to see what the > >Content-Type header looks like. Once you have that data, you can then > >create a new rule that includes that data. > > > >You could also create a rule that checks the URI and then skips the > >Content-Type check - > > > >SecFilterSelective REQUEST_URI "^/wp-admin/" nolog,pass,skip:1 > >SecFilterSelective HTTP_Content-Type > >"!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" > > > > > > > thanks for the quick reply, > I used the 2nd option and added the rule to skip the check for the > specific URL, > I just wanted to add the remark it's *skip:2* in 1.9. ;) [Ryan Barnett] Actually, we are both wrong... in 1.9 it is skipnext and 2.0 it is just skip. Besides the naming change, the real difference in how skipnext/skip works between the two versions is that in 1.x, skip actually counts how many SecFilter/SecFilterSelective lines follow (regardless of whether or not the rules are chained) while skip factors chained rules in and considers them to be just one rule. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/

Next Message by Date: click to view message preview

Re: Migration 1.x to 2.x

> -----Original Message----- > From: mod-security-users-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:mod- > security-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of > blaster@xxxxxxxxxxxxx > Sent: Sunday, June 24, 2007 5:35 PM > To: mod-security-users@xxxxxxxxxxxxxxxxxxxxx > Subject: [mod-security-users] Migration 1.x to 2.x > > Hello, > > I try to migrate my old ruleset to the new format (2.x) and studied the > documentation: > > http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pd f > > Can you please give me some examples for migration the following rules? > And how do I get the new directives to work case insensitive? > > > # Block various methods of downloading files to a server > > SecFilterSelective THE_REQUEST "wget " [Ryan Barnett] If you upgrade to ModSecurity 2.x, then you can use the Core Rules, which already has a rule to detect wget command injection attempts - SecRule "ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent" \ "\bwget\b" \ "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',,id:'950907',severity:'2'" > > SecFilter "bcc\x3a" > SecFilter "bcc:|Bcc:|BCC:" chain > > SecFilterSelective POST_PAYLOAD "Bcc:" > > SecFilterSelective THE_REQUEST "Bcc:" > [Ryan Barnett] For "bcc" type signatures, there aren't any in the Core rules, however you could create one that is very similar to the previous wget example - SecRule "ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent" \ "\bbcc\:\b" \ "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'BCC String Identified. Matched signature <%{TX.0}>',,id:'1',severity:'2'" As for your question about case sensitivity, the same Core Rules file that has the wget rule, has the following SecDefaultAction specified - SecDefaultAction "log,pass,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowerca se" This includes the "t:lowercase" transformation function. So either make sure that your new rule will inherit the proper SecDefaultAction, or you can specify it on the rule itself. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/

Previous Message by Thread: click to view message preview

Re: Umlaut and modsecurity-core-rules_2.1-1.4

On Fri, 1 Jun 2007 16:30:10 +0200 Christian Bockermann <chris@xxxxxxxxx> wrote: > <LocationMatch "/main.php"> > SecRemoveRuleByID 1234 > </LocationMatch> Interesting, when I try to use that I get the following with apache2ctl -t Syntax error on line 100 of /etc/apache/vhost.d/my.host.com.conf Invalid command 'SecRemoveRuleByID', perhaps mis-spelled or defined by a module not included in the server configuration My version is mod_security-2.1.1 Any ideas? Thanks! hanji ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/

Next Message by Thread: click to view message preview

Re: Migration 1.x to 2.x

> -----Original Message----- > From: mod-security-users-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:mod- > security-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of > blaster@xxxxxxxxxxxxx > Sent: Sunday, June 24, 2007 5:35 PM > To: mod-security-users@xxxxxxxxxxxxxxxxxxxxx > Subject: [mod-security-users] Migration 1.x to 2.x > > Hello, > > I try to migrate my old ruleset to the new format (2.x) and studied the > documentation: > > http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pd f > > Can you please give me some examples for migration the following rules? > And how do I get the new directives to work case insensitive? > > > # Block various methods of downloading files to a server > > SecFilterSelective THE_REQUEST "wget " [Ryan Barnett] If you upgrade to ModSecurity 2.x, then you can use the Core Rules, which already has a rule to detect wget command injection attempts - SecRule "ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent" \ "\bwget\b" \ "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',,id:'950907',severity:'2'" > > SecFilter "bcc\x3a" > SecFilter "bcc:|Bcc:|BCC:" chain > > SecFilterSelective POST_PAYLOAD "Bcc:" > > SecFilterSelective THE_REQUEST "Bcc:" > [Ryan Barnett] For "bcc" type signatures, there aren't any in the Core rules, however you could create one that is very similar to the previous wget example - SecRule "ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent" \ "\bbcc\:\b" \ "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'BCC String Identified. Matched signature <%{TX.0}>',,id:'1',severity:'2'" As for your question about case sensitivity, the same Core Rules file that has the wget rule, has the following SecDefaultAction specified - SecDefaultAction "log,pass,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowerca se" This includes the "t:lowercase" transformation function. So either make sure that your new rule will inherit the proper SecDefaultAction, or you can specify it on the rule itself. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/