mirror of
https://github.com/owasp-modsecurity/ModSecurity.git
synced 2025-11-17 18:05:28 +03:00
Fix some typos and punctuation.
Marc Laporte
@@ -26,16 +26,16 @@ Yes, only subscribers are able to post messages. As mentioned in the previous se
|
||||
|
||||
== Is there anything that I should do prior to sending emails to the mail-list? ==
|
||||
|
||||
Yes. There is a good chance that the issue you are facing has already been discussed and, most likely, a fix has already been presented. You can review the mail-list archive online at the ModSecurity project site on SourceForge. You can also use the Search interface available for topic threads that are archived to the various mirror sites. For example, if you had a quesiton about Exceptions and ModSecurity, you could use the following search to find past mail-list threads on this topic. If you can not find an answer to your question after doing some research, you should then send an email to the mod-security-users mail-list.
|
||||
Yes. There is a good chance that the issue you are facing has already been discussed and, most likely, a fix has already been presented. You can review the mail-list archive online at the ModSecurity project site on SourceForge. You can also use the Search interface available for topic threads that are archived to the various mirror sites. For example, if you had a question about Exceptions and ModSecurity, you could use the following search to find past mail-list threads on this topic. If you can not find an answer to your question after doing some research, you should then send an email to the mod-security-users mail-list.
|
||||
|
||||
== Where can I find books about Web Application Firewalls and ModSecurity? ==
|
||||
|
||||
Books
|
||||
|
||||
ModSecurity Handbook is "The definitive guide to the popular open source web application firewall", written by Ivan Ristic (original author of ModSecurity). The book is available from Feisty Duck in hardcopy or with immediate access to the digital version which is continually updated.
|
||||
ModSecurity Handbook is "The definitive guide to the popular open source web application firewall", written by Ivan Ristic (original author of ModSecurity). The book is available from Feisty Duck in hard copy or with immediate access to the digital version which is continually updated.
|
||||
|
||||
|
||||
ModSecurity 2.5 is "A complete guide to using ModSecurity", written by Magnus Mischel. The book is available from Packt Publishing in both hardcopy and digital forms.
|
||||
ModSecurity 2.5 is "A complete guide to using ModSecurity", written by Magnus Mischel. The book is available from Packt Publishing in both hard copy and digital forms.
|
||||
|
||||
|
||||
Apache Security is a comprehensive Apache Security resource, written by Ivan Ristic for O'Reilly. Two chapters (Apache Installation and Configuration and PHP) are available as free download, as are the Apache security tools created for the book.
|
||||
@@ -44,7 +44,7 @@ Apache Security is a comprehensive Apache Security resource, written by Ivan Ris
|
||||
Preventing Web Attacks with Apache. Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against.
|
||||
|
||||
Training
|
||||
Trustwave's SpiderLabs offers a variety of web applicaiton security training options include open source ModSecurity rule writing classes. Please use this contact form for more information. Ask about:
|
||||
Trustwave's SpiderLabs offers a variety of web application security training options include open source ModSecurity rule writing classes. Please use this contact form for more information. Ask about:
|
||||
|
||||
ModSecurity: Deployment and Management
|
||||
ModSecurity: Rules Writing Workshop
|
||||
@@ -62,7 +62,7 @@ No. The Trustwave Technical Support email address is for commercial ModSecurity
|
||||
|
||||
== What type(s) of security models does ModSecurity support? ==
|
||||
|
||||
There is a common misconcpetion that ModSecurity can only be used for negative policy enforcement. This is not the case. ModSecurity does not have any default security model "out-of-the-box." It is up to the user to implement appropriate rules to acheive the desired security model. That being said, these are the security models which are most often employed:
|
||||
There is a common misconception that ModSecurity can only be used for negative policy enforcement. This is not the case. ModSecurity does not have any default security model "out-of-the-box." It is up to the user to implement appropriate rules to achieve the desired security model. That being said, these are the security models which are most often employed:
|
||||
|
||||
Negative Security Model - looks for known bad, malicious requests. This method is effective at blocking a large number of automated attacks, however it is not the best approach for identifying new attack vectors. Using too many negative rules may also negatively impact performance.
|
||||
|
||||
@@ -70,11 +70,11 @@ Positive Security Model - When positive security model is deployed, only request
|
||||
|
||||
Virtual Patching - Its rule language makes ModSecurity an ideal external patching tool. External patching is all about reducing the window of opportunity. Time needed to patch application vulnerabilities often runs to weeks in many organizations. With ModSecurity, applications can be patched from the outside, without touching the application source code (and even without any access to it), making your systems secure until a proper patch is produced.
|
||||
|
||||
Extrusion Detection Model - ModSecurity can also monitor outbound data and identify and block information disclosure issues such as leaking detailed error messages or Social Security Numbers or Credit Card Numers.
|
||||
Extrusion Detection Model - ModSecurity can also monitor outbound data and identify and block information disclosure issues such as leaking detailed error messages or Social Security Numbers or Credit Card Numbers.
|
||||
|
||||
== What's new in ModSecurity and why should I upgrade if I am already using ModSecurity 1.x? ==
|
||||
|
||||
There are many significant changes and enhancemnts in ModSecurity 2.5 over the 1.x branch, including:
|
||||
There are many significant changes and enhancements in ModSecurity 2.5 over the 1.x branch, including:
|
||||
|
||||
In order to use the OWASP ModSecurity Core Rules, you must use the 2.x version of ModSecurity as it takes advantage of specific features not available in previous versions.
|
||||
|
||||
@@ -104,7 +104,7 @@ Due to the many changes in the ModSecurity 2.0 rules language, you can not direc
|
||||
|
||||
== How do I install ModSecurity 2.0? ==
|
||||
|
||||
The installation procedures for installing ModSecurity 2.5 has changed from previous versions. It now includes a configure script that should help to identify all local settings. After running configure, you then run the make and make install commands. You no nonger use apxs directly.
|
||||
The installation procedures for installing ModSecurity 2.5 has changed from previous versions. It now includes a configure script that should help to identify all local settings. After running configure, you then run the make and make install commands. You no longer use apxs directly.
|
||||
|
||||
== I hear that ModSecurity can be run in embedded-mode, what does that mean exactly? ==
|
||||
|
||||
@@ -120,7 +120,7 @@ ModSecurity can only protect the local web server.
|
||||
|
||||
ModSecurity will consume local resources such as CPU and RAM.
|
||||
|
||||
Management of of log files and configurations can become difficult if you have multiple installations.
|
||||
Management of log files and configurations can become difficult if you have multiple installations.
|
||||
|
||||
== I hear that ModSecurity can be run in reverse proxy-mode, how does that differ from embedded-mode? ==
|
||||
|
||||
@@ -133,7 +133,7 @@ Network topology is hidden from the outside world - so it will be more difficult
|
||||
|
||||
Increased performance – if SSL accelerators/caching used.
|
||||
|
||||
You can implement vulnerability filters to protect and vulnerable web server or application on the backend (IIS, Netscape, ASP, PHP, etc...). See related section on Virtual Patching.
|
||||
You can implement vulnerability filters to protect and vulnerable web server or application on the back-end (IIS, Netscape, ASP, PHP, etc...). See related section on Virtual Patching.
|
||||
|
||||
Disadvantages
|
||||
A potential traffic bottleneck if the reverse proxy can not handle the network load.
|
||||
@@ -158,7 +158,7 @@ SecResponseBodyAccess On
|
||||
|
||||
== How can I verify exactly how ModSecurity is processing rules and requests? ==
|
||||
|
||||
You need to enable the debug log with SecDebugLog and increase the log level with SecDebugLogLevel. It you set the debug log level to 9 it will tell you exactly what tasks it is completing along with what data it is acting upon. Do be aware that while the increased debug log level does help from a trouble-shooting perspective, it does negatively impact performance.
|
||||
You need to enable the debug log with SecDebugLog and increase the log level with SecDebugLogLevel. It you set the debug log level to 9, it will tell you exactly what tasks it is completing along with what data it is acting upon. Do be aware that while the increased debug log level does help from a troubleshooting perspective, it does negatively impact performance.
|
||||
|
||||
= ModSecurity Rules Language =
|
||||
|
||||
@@ -204,9 +204,9 @@ SecRule REMOTE_ADDR "^192\.168\.1\100$" phase:1,nolog,allow,ctl:ruleEngine=Off,c
|
||||
|
||||
Yes there are. Many of these differences are outlined in the Migration Matrix document listed previously. Another common rule difference issue that arises is when you want to create white-listed ModSecurity rulesets which enforce that certain headers/variables are both present and not empty. In ModSecurity 1.x, you could create one rule that handles this while in ModSecurity 2.x you would need to write a chained rule.
|
||||
|
||||
On the surface, you might think "The 1.x rules way is better since you only need 1 rule..." however you need to realize that anytime you have rules or directives that implicitly enforce certain capabilities you run the risk of having false positives as it could match things that you didn't want them to. For instance, what if you have a situation where certain web clients (such as mobile devices) legitimately include some headers, however they are empty? Do you want to automatically block these clients? With the ModSecurity 1.x Rule Language, you would have to remove the entire rule. With the ModSecurity 2.x Rule Language, however, you are able to create rules to more accurately apply the logic that you desire.
|
||||
On the surface, you might think "The 1.x rules way is better since you only need 1 rule..." however you need to realize that anytime you have rules or directives that implicitly enforce certain capabilities, you run the risk of having false positives as it could match things that you didn't want them to. For instance, what if you have a situation where certain web clients (such as mobile devices) legitimately include some headers, however they are empty? Do you want to automatically block these clients? With the ModSecurity 1.x Rule Language, you would have to remove the entire rule. With the ModSecurity 2.x Rule Language, however, you are able to create rules to more accurately apply the logic that you desire.
|
||||
|
||||
Please refer to the following Blog post for more information.
|
||||
Please refer to the following blog post for more information.
|
||||
|
||||
== How do I handle False Positives and creating Custom Rules? ==
|
||||
|
||||
@@ -215,11 +215,11 @@ http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-except
|
||||
|
||||
== Will using a large amount of negative filtering rules impact performance? ==
|
||||
|
||||
Yes. Each and every rule that you implement will comsume resources (RAM, CPU, etc...). The two most important factors to consider with creating ModSecurity rules are the total number of rules and the Regular Expression optimizations. A single rule with a complex regular expression is significantly faster than multiple rules with simple regular expressions. Unfortunately, it is quite easy to create inefficient RegEx patterns. Optimizing RegExs by utilizing Grouping Only/Non-Capturing Parentheses can cut the validation time by up to 50%. The Core Ruleset is optimized for performance.
|
||||
Yes. Each and every rule that you implement will consume resources (RAM, CPU, etc...). The two most important factors to consider with creating ModSecurity rules are the total number of rules and the Regular Expression optimizations. A single rule with a complex regular expression is significantly faster than multiple rules with simple regular expressions. Unfortunately, it is quite easy to create inefficient RegEx patterns. Optimizing RegExs by utilizing Grouping Only/Non-Capturing Parentheses can cut the validation time by up to 50%. The Core Ruleset is optimized for performance.
|
||||
|
||||
== What is a Virtual Patch and why should I care? ==
|
||||
|
||||
Fixing identified vulnerabilities in web application always requires time. Organizations often do not have access to a commercial application's source code and are at the vendor's mercy while waiting for a patch. Even if they have access to the code, implementing a patch in development takes time. This leaves a window of opportunity for the attacker to exploit. External patching (also called "just-in-time patching" and "virtual patching") is one of the biggest advantages of web application firewalls as they can fix this problem externally. A fix for a specific vulnerability is usually very easy to design and in most cases it can be done in less than 15 minutes.
|
||||
Fixing identified vulnerabilities in web applications always requires time. Organizations often do not have access to a commercial application's source code and are at the vendor's mercy while waiting for a patch. Even if they have access to the code, implementing a patch in development takes time. This leaves a window of opportunity for the attacker to exploit. External patching (also called "just-in-time patching" and "virtual patching") is one of the biggest advantages of web application firewalls as they can fix this problem externally. A fix for a specific vulnerability is usually very easy to design and in most cases it can be done in less than 15 minutes.
|
||||
|
||||
Trustwave's new 360 Application Security Program includes virtual patching services delivered by SpiderLabs.
|
||||
|
||||
@@ -227,7 +227,7 @@ Trustwave's new 360 Application Security Program includes virtual patching servi
|
||||
|
||||
== How do I manage ModSecurity logs if I have multiple installations? ==
|
||||
|
||||
If you have more then 1 ModSecurity installation, you have undoubtedly run into issues with consolidating, analyzing and responding to alert messages. Unfortunately, the original "Serial" format of the audit log was multi-line with all records held within one file. This made remote logging difficult. What was really needed was to have a mechanism to send logs onto a centralized logging host made specifically for processing ModSecurity Alert data. This is the purpose of the mlogc program. It comes with the ModSecurity source code and can be used to send individual audit log entried to a remote host in near real-time.
|
||||
If you have more then 1 ModSecurity installation, you have undoubtedly run into issues with consolidating, analyzing and responding to alert messages. Unfortunately, the original "Serial" format of the audit log was multi-line with all records held within one file. This made remote logging difficult. What was really needed was to have a mechanism to send logs onto a centralized logging host made specifically for processing ModSecurity Alert data. This is the purpose of the mlogc program. It comes with the ModSecurity source code and can be used to send individual audit log entries to a remote host in near real-time.
|
||||
|
||||
== Is there an open source Console to send my audit logs to? ==
|
||||
|
||||
@@ -235,4 +235,4 @@ Christian Bockermann has developed an outstanding free tool called AuditConsole
|
||||
|
||||
== Can I send ModSecurity alert log data through Syslog? ==
|
||||
|
||||
Yes. If you already have a central Syslog infrastructure setup and/or if you are using some sort of SIEM application (such as Intellitactics, etc...) then you might want to include the short version ModSecurity alert messages that appear in the Apache error_log file. You can easily reconfigure Apache to send its error logs through Syslog onto a remote, central logging server however the data being forwarded is a very small subset of the entire transaction. It is only a warning message and not enough information to conduct proper incident response to determine if there was a false positive or if it was a legitimate attack. In order to determine this information, you need access to the ModSecurity Audit log files.
|
||||
Yes. If you already have a central Syslog infrastructure setup and/or if you are using some sort of SIEM application (such as Intellitactics, etc...), then you might want to include the short version ModSecurity alert messages that appear in the Apache error_log file. You can easily reconfigure Apache to send its error logs through Syslog onto a remote, central logging server. However, the data being forwarded is a very small subset of the entire transaction. It is only a warning message and not enough information to conduct proper incident response to determine if there was a false positive or if it was a legitimate attack. In order to determine this information, you need access to the ModSecurity Audit log files.
|
||||
Reference in New Issue
Block a user