Am 05.05.2011 um 19:33 schrieb Ken Brucker:
> If I'm understanding this tool the method of use is:
>
> - turn on ModSecurity audit log on target website
> - Run traffic to the site, including break-in attempts, normal usage, etc.
> - turn off audit log
>
> Update rules on the target website
> Test client will parse audit log and replay the web events to the target
> website.
>
> Review logs, rinse, repeat...
>
> Have I understood the scheme?
Basically, yes.
The workflow I had in mind was like this:
* Use the AuditConsole to receive ModSecurity events from the target website
* Define specific test-Tags and associate a set of tests with each tag, for
example
tag: 'test-ruleId-123' => RULE_IDS @contains 123
tag: 'test-forbidden-403' => RESPONSE_STATUS @eq 403
* Now, tag the events you want to use for testing, i.e. by tagging an event
with "test-forbidden-403", which means: In my regression-tests, make sure
that
request will be tested against "RESPONSE_STATUS @eq 403"
* Download all events tagged as 'test*' from the AuditConsole, which will
basically
create a serial-audit-log file with the tests attached to each event.
This can then be re-injected into any ModSecurity-enabled Apache server.
Ideally,
this will be done on a special test-system.
Thus, you can easily flag events as "test-false-positive" and associate:
tag: 'test-false-positive' => RESPONSE_STATUS @rx (20|30).
* Run the TestClient, which reads the serial audit-log, send these to the
Apache server
(test-server) and assures, whether the events have been blocked by the
Apache/ModSec
as expected.
I did some stuff like that for testing different rule sets some time ago
(Before I
started implementing the AuditConsole):
https://secure.jwall.org/articles/eval_rules.jsp
Regards,
Chris
>
> On May 5, 2011, at 11:41 AM, Christian Bockermann wrote:
>
>> Hi Ken,
>>
>> your question is hitting the spot. Currently there is no such test engine
>> available.
>> I've done some work on that by implementing a TestClient in Java, which
>> basically
>> can re-inject all requests from a recorded ModSecurity audit-log.
>>
>> I've had plans (and started some of that) to implement an "X"-Section which
>> can be
>> used to define "expected behaviour". For example, you could add some tests
>> like:
>>
>> RESPONSE_STATUS @eq 404
>> RESPONSE_BODY "@rx !MySQL Error"
>> ...
>>
>> However, since such a test-client can only check for expected results within
>> the
>> server response, this is somewhat limitted. An extension might be to connect
>> to the
>> AuditConsole and check the resulting "newly created" audit log events for
>> the requests
>> that are injected for testing.
>>
>> If that sounds interesting to you, just drop me a line. I'd be happy to
>> include such
>> a thing in the jwall-tools (open-source).
>>
>> Chris
>>
>>
>>
>>
>> Am 05.05.2011 um 17:54 schrieb Ken Brucker:
>>
>>> Hi - I have some custom rules I'd like to create and I'm looking for a test
>>> engine to drive the rules and ensure I'm getting the expected results. I
>>> checked the FAQ and found this question that directly relates:
>>>
>>> How do I handle False Positives and creating Custom Rules?
>>>
>>> It is inevitable; you will run into some False Positive hits when using web
>>> application firewalls. This is not something that is unique to ModSecurity.
>>> All web application firewalls will generate false positives from time to
>>> time. The following Blog post information will help to guide you through
>>> the process of identifying, fixing, implementing and testing new custom
>>> rules to address false positives.
>>>
>>> But... the last sentence states "The following blog post information ..."
>>> and there is no blog post information following. Where do I find the
>>> referenced material?
>>>
>>> Does a test engine exist outside Apache to feed data through the rules to
>>> enable easy regression testing in addition to focused testing of new rules?
>>>
>>> Regards,
>>> Ken
>>> _______________________________________________
>>> Owasp-modsecurity-core-rule-set mailing list
>>> [email protected]
>>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>>
>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
