On 11/9/11 12:48 PM, "Ross Lawrie" <[email protected]> wrote:
>On Wed, 2011-11-09 at 10:10 +0200, Josh Amishav-Zlatin wrote: >> On Tue, Nov 8, 2011 at 6:59 PM, Ross Lawrie <[email protected]> >>wrote: >> >> > This did help a little, the path was in need of updating, so I made >>that >> > change, but the problem persisted. This lead me to try running the lua >> > scripts from the command line which resulted in "module 'rex_pcre' not >> > found". I'm wondering if anyone is aware of a Debian (lenny) rex_pcre >> >> Hi Ross, >> >> Have you tried liblua5.1-rex-pcre0? >> >> -- >> - Josh > >Josh, > >Unfortunately that package doesn't exist for Debian Lenny (5.0.9). It >looks like it exists for Squeeze and higher, but at this point I can't >quite migrate this system to Squeeze. Thanks! > >Ross. Hey Ross, A couple points about the advaced_filter_converter.lua script - 1) As you noted - there are Lua module dependencies. You will need both rex (for extended regular expressions) and bitop. These modules are needed in order to properly mimic the data conversion that PHPIDS' converter.php script (https://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/Conve rter.php) is doing. 2) We ran into some issues with that Lua script during the SQL Injection Challenge (http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-les sons-learned.html) where certain payloads were actually causing the Lua script to abort... :( This script needs more testing. 3) Due to issue #2, we opted, in the latest CRS, to update the actual PHPIDS regex filters themselves to try and include the converter logic within the operator vs. requiring the Lua script to first normalize data. So, if you are running the latest CRS, you can use the modsecurity_crs_41_sql_injection_attack.conf file and not need to use the advanced filters conf. Hope this info helps. -Ryan This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
