Re: Apache module: mod_security

Bill Burge wrote:
> After a cursory glance, other than removing a some abstraction
 > and making configuration a little more straight forward; I'm not  > sure how this differs from what can be done with mod_rewrite.

   One major feature: it filters POST payloads, too. There is no    point of having any kind of web application firewall if you    allow attackers to attack you via POST.

   The other major feature (at least to me) is the full (POST    included) audit log.

   And (I am trying really hard now :), it can also filter    individual parameters. For example, if you have something    like:

   script.php?title=value1&content=value2

   with a rule

   SecFilterSelective ARGS|!ARG_content "<( |\n)+>"

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

   You can allow HTML to come through variable "content" but    not through "title".

> I didn't see anything in the attributes list that I can't review
 > and take action on with rewrite rules.

   Well, I copied the variable names from mod_rewrite 0:)

> While this might be a good first step in the right direction
 > I spend a lot of time carving apache into a web based application
> level gateways); I'd like to see a lot more than a simpler conf
 > language and a gui (actually you can keep the gui).

   Keep 'em coming! You comments are most welcome, that is    exactly what I need at the moment.

> 1) how about using snort rules natively

   I used Snort for Web filtering before starting work    on mod_security. Its rules are mostly IP-specific, and    not suitable for mod_security which works on the HTTP    level.

> 2) how about data collection on the source of the connection

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

   Are you referring to the audit log (request headers and    other information)? It does that.

   You also asked about mod_rewrite. These two modules seem    similar (especially in these early times) but are fundamentally    different. In order to do what I'm doing with mod_security    at the moment, I would have to take mod_rewrite apart. Those    changes would never be allowed back into the module and then,    it would be the same anyway.

> 3) how about notifications

   Alerts & custom redirects are the first on my list.

--
Ivan Ristic, 
http://www.webkreator.com/