Got your GitHub Pull request, thanks. Just for some background on my request to use github. Using GitHub for CRS Dev is critical for collaboration and community involvement. I realize this was a minor change and *easy* to do however I want to encourage use of GitHub for all updates.
Thanks for your contribution! -- Ryan Barnett Lead Security Researcher Trustwave - SpiderLabs On Jan 31, 2013, at 5:15 PM, "Ryan Barnett" <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>> wrote: Please use GitHub and issue a Pull request. Thanks. -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader From: yersinia <yersinia.spi...@gmail.com<mailto:yersinia.spi...@gmail.com>> Date: Thursday, January 31, 2013 12:33 PM To: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] [PATCH] modsecurity_crs_47_common_exceptions.conf: drop apache User-Agent signature for dummy connection Patch not useful or wrong way to post it ? Just for info. Best On Wed, Jan 30, 2013 at 11:57 AM, Elia Pinto <yersinia.spi...@gmail.com<mailto:yersinia.spi...@gmail.com>> wrote: When the apache HTTP Server manages its child processes, it sends a simple HTTP request back to itself. This request will appear in the access_log file with the remote address set to the loop-back interface and if you log the User-Agent string you will see the server signature followed by "(internal dummy connection)" on non-SSL servers. modsecurity_crs_47_common_exceptions already contain a chained rule for skipping the apache internal dummy connection if the connection is from the lookback address. But if the administrator has set the directive SecServerSignature to one of the ./modsecurity_35_bad_robots.data, for example chinaclaw, the skip rule for the internal dummy connection is not used, because in that case the User-Agent is defined by the valued of the SecServerSignature, and not contain the value Apache: in this case the rule 990012 will fire wrongly. Therefore, because the skip rule it is applied already to connection from 127.0.0.1, so it is sufficently safe, don't cause any problem to eliminate the "Apache" control also on the User-Agent variables. It is very similar to a standard iptables setup in which it is common to put a catchall ACCEPT rule on the loopback interface. --- .../modsecurity_crs_47_common_exceptions.conf | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/base_rules/modsecurity_crs_47_common_exceptions.conf b/base_rules/modsecurity_crs_47_common_exceptions.conf index c63cabd..eda515b 100644 --- a/base_rules/modsecurity_crs_47_common_exceptions.conf +++ b/base_rules/modsecurity_crs_47_common_exceptions.conf @@ -23,7 +23,7 @@ SecRule REQUEST_LINE "^GET /$" "chain,phase:2,id:'981020',t:none,pass,nolog" # SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/1.0$" "chain,phase:2,id:'981021',t:none,pass,nolog" SecRule REMOTE_ADDR "^(127\.0\.0\.|\:\:)1$" "chain,t:none" - SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none,t:none,chain" + SecRule REQUEST_HEADERS:User-Agent "^.*\(internal dummy connection\)$" "t:none,t:none,chain" SecRule TX:'/PROTOCOL_VIOLATION\\\/MISSING_HEADER/' ".*" "chain,setvar:tx.missing_header=+1,setvar:tx.missing_header_%{tx.missing_header}=%{matched_var_name}" SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1}" -- 1.7.1 ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
