rpms/prelude-lml/devel prelude-lml-0.9.13-modsecurity.patch, NONE, 1.1 prelude-lml.spec, 1.14, 1.15
Steve Grubb
sgrubb at fedoraproject.org
Sat Oct 11 18:38:50 UTC 2008
- Previous message: rpms/gcstar/devel .cvsignore, 1.10, 1.11 gcstar.spec, 1.14, 1.15 sources, 1.9, 1.10
- Next message: rpms/gnome-applet-netspeed/F-9 .cvsignore, 1.5, 1.6 gnome-applet-netspeed.spec, 1.16, 1.17 sources, 1.5, 1.6 gnome-applet-netspeed-0.15-offbyone.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: sgrubb
Update of /cvs/pkgs/rpms/prelude-lml/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16819
Modified Files:
prelude-lml.spec
Added Files:
prelude-lml-0.9.13-modsecurity.patch
Log Message:
* Sat Oct 11 2008 Steve Grubb <sgrubb at redhat.com> 0.9.13-2
- improved mod_security rules
prelude-lml-0.9.13-modsecurity.patch:
--- NEW FILE prelude-lml-0.9.13-modsecurity.patch ---
diff -ur prelude-lml-0.9.13.orig/plugins/pcre/ruleset/modsecurity.rules prelude-lml-0.9.13/plugins/pcre/ruleset/modsecurity.rules
--- prelude-lml-0.9.13.orig/plugins/pcre/ruleset/modsecurity.rules 2008-10-11 14:30:01.000000000 -0400
+++ prelude-lml-0.9.13/plugins/pcre/ruleset/modsecurity.rules 2008-10-11 14:33:08.000000000 -0400
@@ -20,7 +20,7 @@
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
#
#####
-# The rules developed using mod_security-2.1.6.
+# The rules developed using mod_security-2.5.6 (tested with 2.1.7 and 2.5.6)
#####
# Here are some example log entries that should match against rules defined below:
@@ -33,28 +33,120 @@
# LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Operator EQ match: 0. [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [uri "/\\xc4\\x9b+\\xc5\\xa1\\xc4\\x8d\\xc5\\xa1\\xc5\\x99\\xc5\\x99\\xc4\\x8d\\xc3\\xbd\\xc3\\xbd\\xc3\\xa1"] [unique_id "pNLe4woiIjEAAF4fLq0AAAAH"]
# LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [uri "/\\xc4\\x9b+\\xc5\\xa1\\xc4\\x8d\\xc5\\xa1\\xc5\\x99\\xc5\\x99\\xc4\\x8d\\xc3\\xbd\\xc3\\xbd\\xc3\\xa1"] [unique_id "S2NY at woiIjEAAF4eLX8AAAAG"]
-# 3160-3167
-regex=\[severity "(?:EMERGENCY|ALERT|CRITICAL|ERROR)"\]; \
- id=3160; \
+########################
+
+# Protocol violation
+regex=\[id "(960911|950012|960912|960016|960011|960012|960013|950107|950801|950116|960014|960018|960901)"\]; \
+ id=3167; \
+ classification.text=HTTP Protocol violation; \
+ assessment.impact.severity=medium; \
+ additional_data(1).type=integer; \
+ additional_data(1).meaning=ModSec Rule ID; \
+ additional_data(1).data=$1; \
+ chained; silent;
+
+# Protocol anomaly
+regex=\[id "(960019|960008|960015|960009|960904|960017|960913)"\]; \
+ id=3168; \
+ classification.text=HTTP Protocol anomaly; \
+ assessment.impact.severity=low; \
+ additional_data(1).type=integer; \
+ additional_data(1).meaning=ModSec Rule ID; \
+ additional_data(1).data=$1; \
+ chained; silent;
+
+# Request limits
+regex=\[id "(960335)"\]; \
+ id=3169; \
+ classification.text=HTTP Request limit exceeded; \
+ assessment.impact.severity=high; \
+ additional_data(1).type=integer; \
+ additional_data(1).meaning=ModSec Rule ID; \
+ additional_data(1).data=$1; \
+ chained; silent;
+
+# HTTP policy
+regex=\[id "(960032|960010|960034|960035|960038|960902|960903)"\]; \
+ id=3170; \
+ classification.text=HTTP policy violation; \
+ assessment.impact.severity=high; \
+ additional_data(1).type=integer; \
+ additional_data(1).meaning=ModSec Rule ID; \
+ additional_data(1).data=$1; \
+ chained; silent;
+
+# Bad robots
+regex=\[id "(990002|990901|990902|990012|990011)"\]; \
+ id=3171; \
+ classification.text=Bad HTTP robot; \
+ assessment.impact.severity=info; \
+ additional_data(1).type=integer; \
+ additional_data(1).meaning=ModSec Rule ID; \
+ additional_data(1).data=$1; \
+ chained; silent;
+
+# Generic attacks
+regex=\[id "(959009|950007|959007|950904|959904|950001|959001|950901|959901|950906|959906|950908|959908|950004|959004|950005|959005|950002|950006|959006|950907|959907|950008|959008|950010|959010|950011|959011|950013|959013|950018|959018|950019|959019|950910|950911)"\]; \
+ id=3172; \
+ classification.text=Generic HTTP attack; \
+ assessment.impact.severity=high; \
+ additional_data(1).type=integer; \
+ additional_data(1).meaning=ModSec Rule ID; \
+ additional_data(1).data=$1; \
+ chained; silent;
+
+# Trojans
+regex=\[id "(950921|950922)"\]; \
+ id=3173; \
+ classification.text=HTTP trojan; \
assessment.impact.severity=high; \
+ additional_data(1).type=integer; \
+ additional_data(1).meaning=ModSec Rule ID; \
+ additional_data(1).data=$1; \
+ chained; silent;
+
+# Outbound
+regex=\[id "(970003|970004|970904|970007|970008|970009|970010|970012|970013|970014|970903|970015|970902|970016|970018|970901|970118|970021|970011)"\]; \
+ id=3174; \
+ classification.text=HTTP outbound policy violation; \
+ assessment.impact.severity=high; \
+ additional_data(1).type=integer; \
+ additional_data(1).meaning=ModSec Rule ID; \
+ additional_data(1).data=$1; \
+ chained; silent;
+
+#########################
+
+# 3160-3166
+regex=\[file "([^"]+)"\]; \
+ id=3160; \
+ additional_data(>>).type=string; \
+ additional_data(-1).meaning=ModSec Ruleset File; \
+ additional_data(-1).data=$1; \
chained; silent;
-regex=\[severity "WARNING"\]; \
+regex=\[line "(\d+)"\]; \
id=3161; \
- assessment.impact.severity=medium; \
+ additional_data(>>).type=integer; \
+ additional_data(-1).meaning=ModSec Ruleset Line; \
+ additional_data(-1).data=$1; \
chained; silent;
-regex=\[severity "NOTICE"\]; \
+regex=\[tag "(\S+)"\]; \
id=3162; \
- assessment.impact.severity=low; \
+ additional_data(>>).type=string; \
+ additional_data(-1).meaning=ModSec Rule Tag; \
+ additional_data(-1).data=$1; \
chained; silent;
-regex=\[severity "(?:INFO|DEBUG)"\]; \
+regex=\[severity "(\S+)"\]; \
id=3163; \
- assessment.impact.severity=info; \
+ additional_data(>>).type=string; \
+ additional_data(-1).meaning=ModSec Severity; \
+ additional_data(-1).data=$1; \
chained; silent;
-regex=\[msg "([^"]+)"\]; \
+regex=\[msg "([^"]+)"\]; optgoto=3167-3174; min-optgoto-match=1; \
id=3164; \
classification.reference(0).meaning=$1; \
classification.reference(0).origin=vendor-specific; \
@@ -62,67 +154,89 @@
regex=\[hostname "(\S+)"\]; \
id=3165; \
- target(0).node.address(1).address=$1; \
- chained; silent;
-
-regex=\[id "(\d+)"\]; \
- id=3166; \
- additional_data(1).type=integer; \
- additional_data(1).meaning=ModSec Rule ID; \
- additional_data(1).data=$1; \
- classification.reference(0).name=$1; \
+ target(0).node.address(0).address=$1; \
chained; silent;
regex=\[unique_id "(\S+)"\]; \
- id=3167; \
- additional_data(2).type=string; \
- additional_data(2).meaning=Unique ID; \
- additional_data(2).data=$1; \
- chained; silent;
+ id=3166; \
+ additional_data(>>).type=string; \
+ additional_data(-1).meaning=Unique ID; \
+ additional_data(-1).data=$1; \
+ chained; silent;
+
+#regex=\[id "(\d+)"\]; \
+# id=3166; \
+# additional_data(1).type=integer; \
+# additional_data(1).meaning=ModSec Rule ID; \
+# additional_data(1).data=$1; \
+# classification.reference(0).name=$1; \
+# chained; silent;
+#########################
-# 3120-3121;
-regex=Match of "(.+)" against "(\S+)" required\.; optgoto=3160-3167; \
+# 3120-3125
+regex=Match of "(.+)" against "(\S+)" required\.; optgoto=3160-3166; \
id=3120; \
assessment.impact.description=ModSecurity found pattern match "$1" in HTTP object $2.; \
chained; silent;
-regex=Operator ([A-Z]{2}) match: (\d+)\.; optgoto=3160-3167; \
+regex=Operator ([A-Z]{2}) match: (\d+)\.; optgoto=3160-3166; \
id=3121; \
assessment.impact.description=ModSecurity found operator "$1" match "$2".; \
chained; silent;
-regex=Pattern match "(.+)" at (\S+)\.; optgoto=3160-3167; \
+regex=Pattern match "(.+)" at (.+?)\.; optgoto=3160-3166; \
id=3122; \
assessment.impact.description=ModSecurity found pattern match "$1" in HTTP object $2.; \
chained; silent;
+regex=Operator ([A-Z]{2}) matched (\d+) at (\S+)\.; optgoto=3160-3166; \
+ id=3123; \
+ assessment.impact.description=ModSecurity found operator "$1" match "$2".; \
+ chained; silent;
+
+regex=Found (\d+) byte\(s\) in (\S+) outside range: (\S+)\.; optgoto=3160-3166; \
+ id=3124; \
+ assessment.impact.description=ModSecurity found $1 byte(s) in "$2" outside range $3.; \
+ chained; silent;
+
+regex=Found (\d+) byte\(s\) outside range: (\S+)\.; optgoto=3160-3166; \
+ id=3125; \
+ assessment.impact.description=ModSecurity found $1 byte(s) outside range $3.; \
+ chained; silent;
+
# 3130-3133; Access denied + ...
-regex=with code (\d+) \(phase \d\)\.; optgoto=3120-3122; \
+regex=with code (\d+) \(phase \d\)\.; optgoto=3120-3125; \
id=3130; \
assessment.action(0).category = block-installed; \
assessment.action(0).description = Access was blocked with HTTP response code $1.; \
chained; silent;
-regex=using proxy to \(phase (\d+)\) (\S+)\.; optgoto=3120-3122; \
+regex=using proxy to \(phase (\d+)\) (\S+)\.; optgoto=3120-3125; \
id=3131; \
assessment.action(0).category = block-installed; \
assessment.action(0).description = Access was denied using proxy to $2.; \
chained; silent;
-regex=with redirection to (\S+) using status (\d+) \(phase (\d+)\)\.; optgoto=3120-3122; \
+regex=with redirection to (\S+) using status (\d+) \(phase (\d+)\)\.; optgoto=3120-3125; \
id=3132; \
assessment.action(0).category = block-installed; \
assessment.action(0).description = Access was redirected to $1.; \
chained; silent;
-regex=with connection close \(phase (\d+)\).; optgoto=3120-3122; \
+regex=with connection close \(phase (\d+)\).; optgoto=3120-3125; \
id=3133; \
assessment.action(0).category = block-installed; \
assessment.action(0).description = Connection was closed.; \
chained; silent;
+# Output filter
+regex=Response body too large \(over limit of (\d+)(.+?)\)\.; optgoto=3160-3166; \
+ id=3150; \
+ assessment.impact.description=Response body too large (over limit of $1$2); \
+ chained; silent;
+
# 3100-3102
-regex=Warning\.; optgoto=3120-3121; \
+regex=Warning\.; optgoto=3120-3125; \
id=3101; \
classification.text=HTTP Warning.; \
assessment.impact.completion=succeeded; \
@@ -134,7 +248,14 @@
assessment.impact.completion=failed; \
chained; silent;
-regex=\[client ([\d\.]+)\] ModSecurity:.*\[uri "([^"]+)"\]; optgoto=3101-3102; \
+regex=Output filter:; optgoto=3150; \
+ id=3103; \
+ classification.text=HTTP Output filer error; \
+ assessment.impact.completion=failed; \
+ assessment.impact.severity=high; \
+ chained; silent;
+
+regex=\[client ([\d\.]+)\] ModSecurity:.*\[uri "([^"]+)"\]; optgoto=3101-3103; \
id=3100; \
analyzer(0).name=ModSecurity; \
analyzer(0).manufacturer=www.modsecurity.org; \
Index: prelude-lml.spec
===================================================================
RCS file: /cvs/pkgs/rpms/prelude-lml/devel/prelude-lml.spec,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- prelude-lml.spec 27 Aug 2008 15:41:53 -0000 1.14
+++ prelude-lml.spec 11 Oct 2008 18:38:19 -0000 1.15
@@ -1,6 +1,6 @@
Name: prelude-lml
Version: 0.9.13
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: The prelude log analyzer
Group: System Environment/Libraries
@@ -9,6 +9,7 @@
Source0: http://www.prelude-ids.org/download/releases/%{name}/%{name}-%{version}.tar.gz
Source1: prelude-lml.init
Patch1: prelude-lml-0.9.12-pie.patch
+Patch2: prelude-lml-0.9.13-modsecurity.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: gamin-devel, libprelude-devel, pcre-devel
@@ -44,6 +45,7 @@
%prep
%setup -q
%patch1 -p1
+%patch2 -p1
sed -i.debug -e '/nlist/s|\$rm|: $rm|' ltmain.sh
@@ -111,6 +113,9 @@
%changelog
+* Sat Oct 11 2008 Steve Grubb <sgrubb at redhat.com> 0.9.13-2
+- improved mod_security rules
+
* Wed Aug 27 2008 Steve Grubb <sgrubb at redhat.com> 0.9.13-1
- new upstream release
- Previous message: rpms/gcstar/devel .cvsignore, 1.10, 1.11 gcstar.spec, 1.14, 1.15 sources, 1.9, 1.10
- Next message: rpms/gnome-applet-netspeed/F-9 .cvsignore, 1.5, 1.6 gnome-applet-netspeed.spec, 1.16, 1.17 sources, 1.5, 1.6 gnome-applet-netspeed-0.15-offbyone.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list