ModSecurity Trustwave
This blog has moved! Please update your
bookmarks to http://blog.spiderlabs.com/modsecurity/.

ModSecurity Blog: September 2003

Enhanced rules now available

The last change before the 1.7 release is now in the CVS. I have refactored the code dealing with rule processing, and added three new actions: allow, skipnext, and chain. Allow enables you to stop rules processing on a single rule match, and let the request through. With skipnext you can skip one or more rules. Finally, the chain action is used to chain several filters together, essentially a logical AND. The final rule in the chain will be processed only if all rules before it match. These rules make mod_security much more fun to play with.

So, let's say that you want to restrict administration access to an application but you can't do it with standard Apache directives because the admin shares the same login panel as other users. No problem:

SecFilterSelective ARG_username admin chain
SecFilterSelective REMOTE_ADDR "!^YOUR_IP_ADDRESS_HERE$"

Cookie parsing added

Now you can analyse cookies using new selective filtering variables (COOKIE_name, COOKIE_NAMES, COOKIE_VALUES). Even before this change it was possible to look at cookies (as cookies are just HTTP headers) but the functionality was limited. ModSecurity now parses cookies for you.

Let's say you wanted to prevent XSS attacks via the PHP session cookie; this filter would make sure the cookie is in order:

SecFilterSelective COOKIE_PHPSESSID "^[0-9a-z]+$"

COOKIE_NAMES and COOKIE_VALUES will examine all cookie names and values, respectively.

Masking your web server

There is a new feature available in the CVS, and it allows you to mask your web server and instruct it to pretend to be something else. Normally, to do this sort of thing you would have to change Apache source code and recompile, now you can do it with a single configuration directive. Just type:

SecServerSignature "Microsoft-IIS/5.0"

Changed name to Web Security Blog

I decided to change the name of this blog to "Web Security Blog". I figured that web security is now a permanent part of my life, and that I frequently want to write about things that are not related to mod_security. This also means that I will be able to write more frequently, with the scope of the blog significantly widened.

Calendar

November 2010
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30

Feeds

Atom Feed

Search

Categories

Recent Entries

Archives