From mail at skyhorse.org  Sat Aug  5 08:50:52 2006
From: mail at skyhorse.org (Paulo Cunha)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] invalid regular expression in rules.conf
Message-ID: <1154782253.10578.3.camel@localhost.localdomain>

Hello all,

I'm not sure if I'm the only one but the rules.conf file updated two
days ago (3rd of August?) doesn't work on my box with this error:

Syntax error on line 395 of /etc/modsecurity/rules.conf:
Invalid regular expression: \;\x20+?perl\x20+[A-Za-z|0-9]+;


I had to remove that line to make apache run.


Regarding the regex, could we be missing a \ before the last ; ?

Thanks,


paulo

From mike at gotroot.com  Sun Aug  6 17:49:12 2006
From: mike at gotroot.com (Michael Shinn)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] invalid regular expression in rules.conf
In-Reply-To: <1154782253.10578.3.camel@localhost.localdomain>
Message-ID: <060801c6b9a2$27d949f0$070a0a0a@games>

Thank you for the report.  This should only effect users running apache 1.x,
who are not using the PCRE regexp engine (I highly recommend you use the
PCRE engine if you are running apache 1.x, as the 1.x built in engine is
very slow).  I'll move this to the apache-2 only ruleset later tonight.

Thanks again for the report.

-----Original Message-----
From: modsecurity-bounces@gotroot.com
[mailto:modsecurity-bounces@gotroot.com] On Behalf Of Paulo Cunha
Sent: Saturday, August 05, 2006 8:51 AM
To: modsecurity@gotroot.com
Subject: [Modsecurity] invalid regular expression in rules.conf

Hello all,

I'm not sure if I'm the only one but the rules.conf file updated two
days ago (3rd of August?) doesn't work on my box with this error:

Syntax error on line 395 of /etc/modsecurity/rules.conf:
Invalid regular expression: \;\x20+?perl\x20+[A-Za-z|0-9]+;


I had to remove that line to make apache run.


Regarding the regex, could we be missing a \ before the last ; ?

Thanks,


paulo

_______________________________________________
Modsecurity mailing list
Modsecurity@gotroot.com
http://lists.gotroot.com/mailman/listinfo/modsecurity

From chrisholloway at thumbtechs.com  Mon Aug  7 11:11:47 2006
From: chrisholloway at thumbtechs.com (Chris Holloway)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] Rule Help
Message-ID: <44D75833.1080603@thumbtechs.com>

Can someone please help, I need a rule that blocks any form injection 
for a Brazilian address, .br.  I keep getting spam attacks with almost 
all of the emails destined for .br.  They are getting past the other rules.

I tried this:

SecFilterSelective HTTP_Referer|ARGS ".br"

This actually gets everything with br, so words like broken, or bring 
are blocked. 

I need something more like something@something.br . 

Thanks for the help, I do not want to let these guys by ever again.

Chris

From mike at gotroot.com  Tue Aug 15 13:10:02 2006
From: mike at gotroot.com (Michael Shinn)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] Commercial support for the signatures now available
Message-ID: <1155661802.23363.111.camel@localhost.localdomain>

Due to popular demand, I'm now offering commercial support for the
signatures, so if you need priority support for a bug, need something
customized, written, etc. its now available.  Please visit the ASL
website at:

http://www.atomicrocketturtle.com/Joomla/content/view/137/34/

Commercial support is currently being offered as part of the Atomic
Secured Linux package.  If you are running the signatures on another
platform, please contact me directly for commercial support.  I'll be
setting up support for just the signatures, and other platforms shortly
and will make an announcement here as soon as the site is setup.

If anyone would like to see anything else supported commercially, please
let me know.  :-)

And yes, the RBL is available.  I'll be sending out an e-mail to those
that contacted me to start using it in Beta.  I don't want to go to full
open until I finish the web GUI so people can request to be removed from
the RBL.  Right now, its 100% me.  (And I don't scale)  ;-)

Anyone is welcome to use it, I just don't want to get flooded with
requests to remove false positives, as I'm working on a means to
automated that.  So if you want to use it, you'll need to use one of the
development builds of modsecurity 2.0.  

-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

From peter.pramberger at 1012surf.net  Wed Aug 16 03:25:58 2006
From: peter.pramberger at 1012surf.net (Peter Pramberger)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] Incomplete check in id:390080
Message-ID: <44E2C886.5010603@1012surf.net>

Hi all!

Today I noticed critical modsecurity errors in my apache log from rule id
390080 ("Checking for valid X-Forwarded header", jitp.conf), caused by our own
web proxy.

It looks like the regexp in this rule checks only for one entry in
X-Forwarded-For, but I use proxy chaining where each web proxy in the chain
attaches its own entry to this header field, eg.

   X-Forwarded-For: unknown, 1.2.3.4


Regards,
Peter


From mike at gotroot.com  Wed Aug 16 08:41:12 2006
From: mike at gotroot.com (Michael Shinn)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] Incomplete check in id:390080
In-Reply-To: <44E2C886.5010603@1012surf.net>
Message-ID: <001d01c6c131$41d871a0$070a0a0a@games>

Thanks for the report Peter, I'll modify the rule later today.  
-----Original Message-----
From: modsecurity-bounces@gotroot.com
[mailto:modsecurity-bounces@gotroot.com] On Behalf Of Peter Pramberger
Sent: Wednesday, August 16, 2006 3:26 AM
To: modsecurity@gotroot.com
Subject: [Modsecurity] Incomplete check in id:390080

Hi all!

Today I noticed critical modsecurity errors in my apache log from rule id
390080 ("Checking for valid X-Forwarded header", jitp.conf), caused by our
own
web proxy.

It looks like the regexp in this rule checks only for one entry in
X-Forwarded-For, but I use proxy chaining where each web proxy in the chain
attaches its own entry to this header field, eg.

   X-Forwarded-For: unknown, 1.2.3.4


Regards,
Peter


_______________________________________________
Modsecurity mailing list
Modsecurity@gotroot.com
http://lists.gotroot.com/mailman/listinfo/modsecurity

From mike at gotroot.com  Wed Aug 16 08:43:56 2006
From: mike at gotroot.com (Michael Shinn)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] Incomplete check in id:390080
In-Reply-To: <44E2C886.5010603@1012surf.net>
Message-ID: <000901c6c131$a44e21e0$070a0a0a@games>

Thanks for the report.  I'll make the changes later today.

-----Original Message-----
From: modsecurity-bounces@gotroot.com
[mailto:modsecurity-bounces@gotroot.com] On Behalf Of Peter Pramberger
Sent: Wednesday, August 16, 2006 3:26 AM
To: modsecurity@gotroot.com
Subject: [Modsecurity] Incomplete check in id:390080

Hi all!

Today I noticed critical modsecurity errors in my apache log from rule id
390080 ("Checking for valid X-Forwarded header", jitp.conf), caused by our
own
web proxy.

It looks like the regexp in this rule checks only for one entry in
X-Forwarded-For, but I use proxy chaining where each web proxy in the chain
attaches its own entry to this header field, eg.

   X-Forwarded-For: unknown, 1.2.3.4


Regards,
Peter


_______________________________________________
Modsecurity mailing list
Modsecurity@gotroot.com
http://lists.gotroot.com/mailman/listinfo/modsecurity

From jphuman at gmail.com  Tue Aug 22 18:04:53 2006
From: jphuman at gmail.com (J-P Human)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] 
	per vhost exclusions solved? | order of exclusions | mixing rules
	from modsecurity.org
Message-ID: <fd3c38d80608221504x43f8b7afo319b080ca52e422f@mail.gmail.com>

Hi

I have three questions,

Firstly something I had trouble with was skipping certain rules for certain
files on certain vhosts. Basically what im saying is on a box running
multiple vhosts a specific vhost say www.example.com was triggering an XSS
rule ( id of 40002 )  with its page /styles.php. now a simple:

</LocationMatch /styles.php>
SecFilterRemove 40002
</LocationMatch>

would exclude it from that rule, but it would also exclude all other
occurrences of  /style.php on all other vhosts, which is not good. The only
solution I found to that was, In the vhost file for www.example.com I
inserted the above <LocationMatch> exclusion and it seemed to work. To test
I copied the styles.php to another vhost on the same server and it triggered
the rule, while the www.example.com was skipping the rule. Is this the
correct way to solve this problem or am i missing something?

My second question

The exclude.conf rule set if this gets loaded into your "global rule set" it
has a lot of common file names which are excluded rules for example, a
Joomla rule for /index.php skips a couple of checks. This would mean for all
occurrence's of index.php on all vhosts index.php will never have those
rules run against it? The only solution i see is to apply each exclusion on
a per vhost basis if my above method does in fact work. ( I think it does )

Lastly my third question,

If im using all the gotroot rule sets am I duplicating rules by using the
rule sets from modsecurity.org ?
Or should I run both?

Thanks for the all the work these rules make a huge difference.

Regards
J-P Human
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20060823/da2b8f4c/attachment.html
From n0nam3d at gmail.com  Thu Aug 24 04:40:14 2006
From: n0nam3d at gmail.com (Marco)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] Error in jitp.conf and rules.conf in apache1
Message-ID: <1e62439a0608240140q503eb5b9kea9248c286814b56@mail.gmail.com>

Hi

i downloaded lastest rules for apache1 and when i start apache i got
this errors:

Syntax error on line 4158 of jitp.conf:
Invalid regular expression:
!^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|)|unknown),?(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|)|unknown)?
 failed!

Syntax error on line 395 of rules.conf:
Invalid regular expression: \;\x20+?perl\x20+[A-Za-z|0-9]+;
 failed!

Regards,
Marco

-- 
Blog: http://p0l0.binware.org
Registered GNU/Linux User #364546
From zeki at zeki.ch  Mon Aug 28 15:23:57 2006
From: zeki at zeki.ch (Zekeria Oezdemir)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] blogspot.com
Message-ID: <004f01c6cad7$82522a00$6963a8c0@kik>

hi there
i users of me have a blog that is linked on a blog on blogspot.com.
when a visitor click on the blog, i get these on the logs:

mod_security-message: Access denied with code 403. Pattern match
"blogspot\\.com" at HEADER("Referer") [severity "EMERGENCY"]


why blogspot.com is on the list?

greets
zeki

From jeroen at easyhosting.nl  Tue Aug 29 08:22:01 2006
From: jeroen at easyhosting.nl (Jeroen Wunnink)
Date: Mon Jan  7 18:22:32 2008
Subject: [Modsecurity] New joomla exploit
Message-ID: <7.0.1.0.2.20060829142118.05ae6718@easyhosting.nl>

An HTML attachment was scrubbed...
URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20060829/59480e22/attachment.html