On Wed, 2011-11-09 at 11:55 -0600, Ryan Barnett wrote: > On 11/9/11 12:48 PM, "Ross Lawrie" <[email protected]> wrote: > > >On Wed, 2011-11-09 at 10:10 +0200, Josh Amishav-Zlatin wrote: > >> On Tue, Nov 8, 2011 at 6:59 PM, Ross Lawrie <[email protected]> > >>wrote: > >> > >> > This did help a little, the path was in need of updating, so I made > >>that > >> > change, but the problem persisted. This lead me to try running the lua > >> > scripts from the command line which resulted in "module 'rex_pcre' not > >> > found". I'm wondering if anyone is aware of a Debian (lenny) rex_pcre > >> > >> Hi Ross, > >> > >> Have you tried liblua5.1-rex-pcre0? > >> > >> -- > >> - Josh > > > >Josh, > > > >Unfortunately that package doesn't exist for Debian Lenny (5.0.9). It > >looks like it exists for Squeeze and higher, but at this point I can't > >quite migrate this system to Squeeze. Thanks! > > > >Ross. > > > Hey Ross, > A couple points about the advaced_filter_converter.lua script - > > 1) As you noted - there are Lua module dependencies. You will need both > rex (for extended regular expressions) and bitop. These modules are > needed in order to properly mimic the data conversion that PHPIDS' > converter.php script > (https://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/Conve > rter.php) is doing. > > 2) We ran into some issues with that Lua script during the SQL Injection > Challenge > (http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-les > sons-learned.html) where certain payloads were actually causing the Lua > script to abort... :( This script needs more testing. > > 3) Due to issue #2, we opted, in the latest CRS, to update the actual > PHPIDS regex filters themselves to try and include the converter logic > within the operator vs. requiring the Lua script to first normalize data. > So, if you are running the latest CRS, you can use the > modsecurity_crs_41_sql_injection_attack.conf file and not need to use the > advanced filters conf. > > Hope this info helps. > > -Ryan >
Great, I'll try rolling out the latest CRS (v2.2.2 right?) and leave out the advanced_filters. Thanks so much for the help and advice! Ross. > > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is STRICTLY PROHIBITED. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format. > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
