From admin at thenamegame.com Wed May 16 01:47:34 2007 From: admin at thenamegame.com (Michael S.) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] Is this project dead? Message-ID: I haven't seen a single update to any files in over 5 months. Is this project dead now? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20070516/fe93cf4b/attachment.html From cooldude7273 at gmail.com Wed May 16 06:54:53 2007 From: cooldude7273 at gmail.com (Daniel McAlonan) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] Is this project dead? In-Reply-To: <464a9acc.7d1c1e20.798f.ffffe6dcSMTPIN_ADDED@mx.google.com> References: <464a9acc.7d1c1e20.798f.ffffe6dcSMTPIN_ADDED@mx.google.com> Message-ID: I've been wondering the same thing! On 5/16/07, Michael S. wrote: > > I haven't seen a single update to any files in over 5 months. Is this > project dead now? > > _______________________________________________ > Modsecurity mailing list > Modsecurity@gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity > > -- Daniel McAlonan Proud Webmaster of MsBetas.org and ProxySauce.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20070516/e68feba9/attachment.html From mike at gotroot.com Wed May 16 18:25:26 2007 From: mike at gotroot.com (Michael Shinn) Date: Mon Jan 7 18:22:32 2008 Subject: [Modsecurity] Is this project dead? In-Reply-To: References: <464a9acc.7d1c1e20.798f.ffffe6dcSMTPIN_ADDED@mx.google.com> Message-ID: <1179354326.7885.27.camel@localhost.localdomain> Nope, not dead, just major changes underway that take time. On Wed, 2007-05-16 at 06:54 -0400, Daniel McAlonan wrote: > I've been wondering the same thing! > > On 5/16/07, Michael S. wrote: > I haven't seen a single update to any files in over 5 months. > Is this project dead now? > > > > _______________________________________________ > Modsecurity mailing list > Modsecurity@gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity > > > > > -- > Daniel McAlonan > Proud Webmaster of MsBetas.org and ProxySauce.com > _______________________________________________ > Modsecurity mailing list > Modsecurity@gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From admin at thenamegame.com Sun May 20 01:49:52 2007 From: admin at thenamegame.com (Michael S.) Date: Mon Jan 7 18:22:33 2008 Subject: [Modsecurity] Let me ask this question again!! Message-ID: Is this project dead or is it still alive???????????? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20070520/9f2477f4/attachment.html From mike at gotroot.com Sun May 20 15:30:51 2007 From: mike at gotroot.com (Michael Shinn) Date: Mon Jan 7 18:22:33 2008 Subject: [Modsecurity] Let me ask this question again!! Message-ID: <4650A1EB.9040806@gotroot.com> Thanks for the question. Yes, its alive and well (I thought I was pretty clear about that in a pervious mail). :-) The primary reasons for the long delay in releasing new rules are: 1) modsec can not handle a lot of rules without serious performance issues 2) There does not appear to a solution to fix this limitation in modsec, outside of running with less rules and jamming as many regexps as possible onto one line. So I've been working very hard on these performance issues. I have long held that purely generic rules are only a small part of a good set of rules. Positive rules and negative rules each both have their place, and any WAF must be able to handle thousands of rules to operate in a complex environment, and not merely hundreds as seems to be the "prefered" configuration. I myself run with every rules you see on gotroot. With that said, I deeply respect and appreciate the work of everyone on the modsec team, but I do not want to just stop with the approach of running with less, but more complex rules. This makes it much harder to right, maintain, and document specific rules for a specific app, and specific vulnerability. I believe this forces one to write too many generic rules, which increases the rate of false positives. For example, in a hosting environment, you can expect to run with thousands of rules if you customize even just a few for each vhost. And if you start building rules for complicated apps, you may increase that several fold - and then performance suffers. I don't want to trade security for performance, or vice versa. So, the short end of it, I've been working for the past 6 months on ways to solve this problem, including dropping modsec altogether and going with another approach. And if someone from Breach is reading this, I appreciate all your hard work and I sincerely hope that you are interested in embracing a vision where we can run with more rules. Now, I will be putting out a new release shortly, with the caveat that the modsec performance issues are something outside of my control in those releases. Michael S. wrote: > Is this project dead or is it still alive???????????? > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Modsecurity mailing list > Modsecurity@gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity From mike at gotroot.com Sun May 20 16:12:05 2007 From: mike at gotroot.com (Michael Shinn) Date: Mon Jan 7 18:22:33 2008 Subject: [Modsecurity] Roadmap for rules Message-ID: <4650AB95.607@gotroot.com> Heres my road map for the rules project. I'll put a page for this on the website this week as well. If something is more important to you, let me know. June 2007: Relicensing rules under GPL July 2007: Release of new rule structure to meet performance limitations of modsec August 2007: Start application rules project To create rules that define allowed behavior for applications I'll put out a timeline for this one as well. September 2007: Re-design of antispam approach (again, driven by the limitations in modsec) October 2007: Release of rules for other WAF platforms In the mean time, I'll be putting out updates to the current rules, before the performance re-write is done. Also, how important is 1.9.x support? If everyone has moved to 2.x, I can focus on just that platform, but if 1.9.x support is needed no worries I can keep supporting it. -- Michael Shinn From marc.stern at approach.be Mon May 21 03:44:44 2007 From: marc.stern at approach.be (Marc Stern) Date: Mon Jan 7 18:22:33 2008 Subject: [Modsecurity] Let me ask this question again!! In-Reply-To: <4650A1EB.9040806@gotroot.com> References: <4650A1EB.9040806@gotroot.com> Message-ID: <46514DEC.1030807@approach.be> An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20070521/df30f2d3/attachment.html From mike at gotroot.com Mon May 21 09:57:00 2007 From: mike at gotroot.com (Michael Shinn) Date: Mon Jan 7 18:22:33 2008 Subject: [Modsecurity] Let me ask this question again!! In-Reply-To: <46514DEC.1030807@approach.be> References: <4650A1EB.9040806@gotroot.com> <46514DEC.1030807@approach.be> Message-ID: <1179755820.28558.8.camel@localhost.localdomain> On Mon, 2007-05-21 at 09:44 +0200, Marc Stern wrote: > Can you give us more details about the performance problems ? > Do you have any metrics ? Not specifically. For the longest time, I could not even reproduce the problems, but have been able to on some unique boxes. For what its worth, I run all the rules on my boxes with no issues, but on some boxes I've taken a look at there is a slow down for really large rulesets. > What about the other solutions ? Are there better ones ? Well, sort of and maybe, so far I'm not done evaluating what I've found, but a good example of systems that can scale to a lot of rules is snort. So its possible to run with lots of rules, without killing your box. > Thanks, > > Marc > > > Michael Shinn wrote: > > Thanks for the question. Yes, its alive and well (I thought I was > > pretty clear about that in a pervious mail). :-) > > > > The primary reasons for the long delay in releasing new rules are: > > > > 1) modsec can not handle a lot of rules without serious performance issues > > 2) There does not appear to a solution to fix this limitation in > > modsec, outside of running with less rules and jamming as many regexps > > as possible onto one line. > > > > So I've been working very hard on these performance issues. I have > > long held that purely generic rules are only a small part of a good set > > of rules. Positive rules and negative rules each both have their place, > > and any WAF must be able to handle thousands of rules to operate in a > > complex environment, and not merely hundreds as seems to be the > > "prefered" configuration. I myself run with every rules you see on gotroot. > > > > With that said, I deeply respect and appreciate the work of everyone on > > the modsec team, but I do not want to just stop with the approach of > > running with less, but more complex rules. This makes it much harder to > > right, maintain, and document specific rules for a specific app, and > > specific vulnerability. I believe this forces one to write too many > > generic rules, which increases the rate of false positives. > > > > For example, in a hosting environment, you can expect to run with > > thousands of rules if you customize even just a few for each vhost. And > > if you start building rules for complicated apps, you may increase that > > several fold - and then performance suffers. I don't want to trade > > security for performance, or vice versa. So, the short end of it, I've > > been working for the past 6 months on ways to solve this problem, > > including dropping modsec altogether and going with another approach. > > > > And if someone from Breach is reading this, I appreciate all your hard > > work and I sincerely hope that you are interested in embracing a vision > > where we can run with more rules. > > > > Now, I will be putting out a new release shortly, with the caveat that > > the modsec performance issues are something outside of my control in > > those releases. > > > > Michael S. wrote: > > > > > Is this project dead or is it still alive???????????? > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Modsecurity mailing list > > > Modsecurity@gotroot.com > > > http://lists.gotroot.com/mailman/listinfo/modsecurity > > > > > > > _______________________________________________ > > Modsecurity mailing list > > Modsecurity@gotroot.com > > http://lists.gotroot.com/mailman/listinfo/modsecurity > > > > -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From mike at gotroot.com Mon May 21 09:58:25 2007 From: mike at gotroot.com (Michael Shinn) Date: Mon Jan 7 18:22:33 2008 Subject: [Modsecurity] 1.9.x support continues Message-ID: <1179755905.28558.12.camel@localhost.localdomain> Lots of requests for 1.9.x support, so no worries, I will continue to support it. I too have 1.9.x boxes. :-) -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com