ModSecurity | open source , cross platform web application firewall | Firewall library

 by   SpiderLabs C++ Version: v3.0.9 License: Apache-2.0

kandi X-RAY | ModSecurity Summary

kandi X-RAY | ModSecurity Summary

ModSecurity is a C++ library typically used in Security, Firewall, Nginx applications. ModSecurity has no bugs, it has no vulnerabilities, it has a Permissive License and it has medium support. You can download it from GitHub.

Libmodsecurity is a complete rewrite of the ModSecurity platform. When it was first devised the ModSecurity project started as just an Apache module. Over time the project has been extended, due to popular demand, to support other platforms including (but not limited to) Nginx and IIS. In order to provide for the growing demand for additional platform support, it has became necessary to remove the Apache dependencies underlying this project, making it more platform independent. As a result of this goal we have rearchitected Libmodsecurity such that it is no longer dependent on the Apache web server (both at compilation and during runtime). One side effect of this is that across all platforms users can expect increased performance. Additionally, we have taken this opportunity to lay the groundwork for some new features that users have been long seeking. For example we are looking to natively support auditlogs in the JSON format, along with a host of other functionality in future versions.
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              ModSecurity has a medium active ecosystem.
              It has 6432 star(s) with 1442 fork(s). There are 379 watchers for this library.
              OutlinedDot
              It had no major release in the last 12 months.
              There are 146 open issues and 2094 have been closed. On average issues are closed in 225 days. There are 32 open pull requests and 0 closed requests.
              It has a neutral sentiment in the developer community.
              The latest version of ModSecurity is v3.0.9

            kandi-Quality Quality

              ModSecurity has 0 bugs and 0 code smells.

            kandi-Security Security

              ModSecurity has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
              ModSecurity code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

              ModSecurity is licensed under the Apache-2.0 License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              ModSecurity releases are available to install and integrate.
              Installation instructions are not available. Examples and code snippets are available.
              It has 155 lines of code, 0 functions and 6 files.
              It has low code complexity. Code complexity directly impacts maintainability of the code.

            Top functions reviewed by kandi - BETA

            kandi's functional review helps you automatically verify the functionalities of the libraries and avoid rework.
            Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of ModSecurity
            Get all kandi verified functions for this library.

            ModSecurity Key Features

            No Key Features are available at this moment for ModSecurity.

            ModSecurity Examples and Code Snippets

            No Code Snippets are available at this moment for ModSecurity.

            Community Discussions

            QUESTION

            ModSecurity not putting some transactions to audit log
            Asked 2022-Mar-14 at 08:56

            We are facing a problem when in certain cases ModSecurity is not tracking the blocking in the audit log despite we have set it as a default action and the rule is not having any logging property set. In the error log, we can see only the rule which was triggered due to the anomaly score has been reached but nothing about the rules which actually counted the score. In some other cases, this information is visible.

            In modsecurity.conf we have logging of rules enabled

            ...

            ANSWER

            Answered 2022-Mar-14 at 08:56

            It is a bug that is presented in ModSecurity 3.0.6 when used along with Nginx.

            The resolution is either not to use custom error_page in Nginx configuration or to recompile the current solution with this fix https://github.com/SpiderLabs/ModSecurity-nginx/pull/273

            Source https://stackoverflow.com/questions/71422368

            QUESTION

            Issue with ResourceSpace app and mod_security
            Asked 2022-Feb-16 at 19:05

            I have a project (its an old project its actually only used as archive as we moved on from this app) with ResourceSpace, that sometimes needs to be accessed to download some images.

            We have this issue now where users are unable to download as we're getting the following error:

            ...

            ANSWER

            Answered 2022-Feb-16 at 19:05

            Core Rule Set Developer on Duty here. To confirm: when a user takes a legitimate action (making a download, as you mentioned) then that is the error log entry that appears? And the URL in your error message:

            https://jlam.com/rs/pages/download_progress.php?ref=18275

            looks legitimate? If so, then your intuition is correct: that is indeed a false positive! Core Rule Set rule 932115 is matching in error.

            False positives need to be tuned away to make a given web application fully usable through a WAF. We've written extensively about how to do this in our official documentation, which you can find here: https://coreruleset.org/docs/configuring/false_positives_tuning/

            Let's look at the exact issue from your example:

            Source https://stackoverflow.com/questions/71147022

            QUESTION

            Correct syntax for modsecurity rules for Wordpress / Elementor false positives
            Asked 2022-Jan-14 at 22:51

            I'm getting tripped by my WHM ModSecurity using OWASP3 rules.

            I'd like to create a custom rule to the Rules List in Home>Security Center > ModSecurity Tools>Rules List following these exclusions:

            ...

            ANSWER

            Answered 2022-Jan-14 at 22:51

            Core Rule Set Dev on Duty here. As the list of exclusions you gave comes from someone else's blog post it's probably best to ignore them. They disable some key functionality of the Core Rule Set (the 9xxxxx rules you're using is the OWASP Core Rule Set) so it's best not to apply those rule exclusions unless you're certain you know what you're doing and why those exclusions are required.

            The three entries from the "HitList" that you quoted: are you certain those are the result of known good traffic? Are those definitely from when you were trying to update a page and you got 403 errors? If you're sure those are genuine false positives (and not attacks) then let's continue…

            False positive #1
            • The rule causing the false positive: 921110
            • The location in question: /wp-admin/post.php
            • The variable causing the false positive: ARGS:content

            Applying a rule exclusion means poking a hole in your WAF's security. We want to try and be as specific as possible so that we make only the smallest hole necessary. We just want to let through the transactions that are being blocked in error and nothing more. We don't want to open a large hole and present an opportunity for attackers to get through.

            With that in mind, let's try taking the following approach: let's exclude only the variable in question (ARGS:content) and exclude it only from the rule causing the issue (921110) and only for the location we've seen the problem occur at (/wp-admin/post.php).

            Putting all that together looks like so:

            Source https://stackoverflow.com/questions/70687169

            QUESTION

            Mod_security rule exception for url/arg
            Asked 2022-Jan-12 at 11:51

            An image on our site is flagging a modsec rule I am trying to add a rule exception for only that occurrence. The number at the start of the flagged string is a session number, so I have added a regex to my rule.

            I've tried various permutations but had no joy and would appreciate some advice.

            Blocked URI: https://www.website.com/application/login?0--preLoginHeaderPanel-companyLogo

            Modsec log snippet: [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "65"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1c found within ARGS_NAME:0--preLoginHeaderPanel-companyLogo: 0--preLoginHeaderPanel-companyLogo"]

            Attempted exceptions (within apache.conf): SecRuleUpdateTargetById 942100 !ARGS_NAMES:'[0-9][0-9]?--preLoginHeaderPanel-companyLogo'

            ...

            ANSWER

            Answered 2022-Jan-12 at 11:51

            Core Rule Set Dev on Duty here. Rule 942100 is one of our 'LibInjection' rules. LibInjection is quite opaque (it's a third party library/operator), so you're correct that a rule exclusion is the way to fix this issue.

            The use of regular expressions in this context follows a specific form. They need to be sandwiched inside forward slashes, like so:

            Source https://stackoverflow.com/questions/70679542

            QUESTION

            mod_security(2.x): How to match on an undefined mod-sec variable?
            Asked 2021-Nov-17 at 06:53

            Note: Question has been updated:

            What I am really trying to solve is:

            Two types of requests: A and B.

            B shall only be allowed if A has been called within the last 5 minutes (from the same ip-address).

            My idea to trying so solve this is by having one SecRule, for A-requests, setting a mod_sec-variable with an expire timeout, to say the other type of request will be ok.

            For B-requests I want to check if this mod_sec-variable is set or not. If it is not set I want to deny the request.

            My problem with this is that I can not make the second SecRule match when the variable is not yet set or has expired.

            Original question that is more of a description how I tried to make the second match

            How do I make a mod_security(2.x) SecRule match on a (yet) undefined variable in Apache config?

            I.e. I need the SecRule to be fulfilled if the variable is not yet defined. Some things I tested is matching with @eq 0 as anything else should be converted into a 0 but that did not work. I also tries using ! as a not operator inside the operator field of SecRule but to no use (or maybe incorrect use?). And also even tried using the @unconditionalMatch but it still does not match.

            ...

            ANSWER

            Answered 2021-Nov-17 at 06:53

            Unfortunately the mentioned documentation above doesn't describe the & "operator" in case of SecRule's variables. This character has a special meanings:

            • if the variable is a collection (eg. ARGS), then using of & gives back the length of collection. Eg. &ARGS gives you how many arguments are there
            • if the variable is a string (eg. REQUEST_URI) then it gives the length of it's value. You can use it for collection members, eg. &REQUEST_HEADERS:Host

            You can use this form against the operator @eq with a numeric argument, eg. @eq 0.

            So, based on your clarification, I think you can use something like this:

            Source https://stackoverflow.com/questions/69992316

            QUESTION

            Modsecurity OWASP Core Rule Set - base64 false positive rule 941170
            Asked 2021-Oct-27 at 12:53

            We use ModSecurity 3.X for NGIX with the OWASP core rule set.

            We have a problem with image in base64 and the rule 941170.

            The pattern of the rule is

            ...

            ANSWER

            Answered 2021-Oct-27 at 12:53

            The SecRuleUpdateTargetById rule exclusion you provided looks good to me.

            To be clear, the effect of that rule exclusion is:

            • Rule 941170 no longer applies to the screen argument
            • Rule 941170 still applies to all other arguments as usual
            • All other rules still apply to all arguments, including screen, as usual

            Is there a reason you're not happy with this?

            If you're running a super-high security setup which means that the SecRuleUpdateTargetById rule exclusion is too coarse, two suggestions I would make:

            • If appropriate for your web application, limit the rule exclusion for rule 941170 to only apply to the screen argument and only for a given location (for example, only for requests to /login.php)

            • Limit the rule exclusion for rule 941170 to only apply to the screen argument and only when screen begins with the string data:image/jpeg;base64

            You could even combine both of those suggestions to be extremely specific.

            If either, or both, of those sound applicable to your situation, let me know if you would like help to put those rule exclusions together.

            Also, what paranoia level are you currently running in, out of interest?

            Regarding your suggestion to modify rule 941170's regular expression, it's a bad idea to directly modify third-party rules, such as the Core Rule Set rules. You essentially end up creating your own fork of the rule set, and you're left with the responsibility for maintaining any modifications you make. Upgrading the rule set would become difficult: you would have to remember to keep re-applying, and possibly change, your modifications. In short: rule exclusions are the way to go!

            Update

            The second rule exclusion described above may look something like this:

            Source https://stackoverflow.com/questions/69476974

            QUESTION

            How can I write this modsecurity rule?
            Asked 2021-Oct-16 at 12:59

            I'm trying to write a modsecurity rule that will match several bad User-Agent strings. User agent string looks like this: "bad-agent name (+http://example.com/)"

            But my rule don't seem to be working:

            ...

            ANSWER

            Answered 2021-Oct-16 at 12:59

            Your rule looks mostly correct.

            1. Make sure that the SecRuleEngine directive is set to On and not DetectionOnly, otherwise your rule's drop action will never be executed, even if the rule matches.

              Note: Check your error log file. If you see that your rule is matching (and being logged) but your tests aren't having the expected result (no dropped connections), that would suggest that your ModSecurity instance is in DetectionOnly mode.

              You could also swap out drop for deny, which may be easier to test with (a 403 response would be a concrete indication that your rule was working!).

            2. If you do need to anchor your regular expression, you could use:

            Source https://stackoverflow.com/questions/69591108

            QUESTION

            OWASP corerulet warning "invalid http request line" triggered by CONNECT method
            Asked 2021-Oct-13 at 21:58

            Summary:

            I have setup a basic WAF with mod-security and the OWASP coreruleset 3.3.2. When using the WAF I see lots of warnings in modsec_audit.log regarding the CONNECT method, which trigger crs rule 920100:

            Message: Warning. Match of "rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./](?::\d+)?)?/[^?#](?:\?[^#\s])?(?:#[\S])?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \)\s+[\w\./]+|get /[^?#](?:\?[^#\s])?(?:#[\S])?)$" against "REQUEST_LINE" required. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "63"] [id "920100"] [msg "Invalid HTTP Request Line"] [data "CONNECT oneofmy.longer.hostname.here.abcde.com:443 HTTP/1.1"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"]

            Details regarding setup: I set up the WAF with mod_security 2.9.2 and httpd. I used the crs-setup.conf.example provided by crs and only modified these two settings regarding threshhold and allowing the CONNECT http method. (CONNECT method is used in our setup for proxy purposes).

            ...

            ANSWER

            Answered 2021-Oct-13 at 21:58

            Looking at the part of the regular expression for rule 920100 that deals with the CONNECT method:

            Source https://stackoverflow.com/questions/69434637

            QUESTION

            Bad Request when trying POST in ASP .NET
            Asked 2021-Oct-09 at 12:23

            I have quite simple system: ASP .NET Core server which is hosted on domain.ru. In API controller there I have 2 methods:

            ...

            ANSWER

            Answered 2021-Oct-09 at 12:23

            Well, seems like I found an answer myself. Will leave it here so it can help someone (maybe me in the future).

            Code of the client's send method:

            Source https://stackoverflow.com/questions/69457998

            QUESTION

            Laravel temporary blank white page without error for some users
            Asked 2021-Oct-08 at 18:52

            After website deployment to sharing host , sometimes the all routed o websites is becomes white page, but at the same time and on the same system on another browser, the entire website routes comes up and works properly.

            white page accures for 1 minute or short time and then it's gone. I mean if all website be come white page for me in my laptop I can access it on my mobile at same time. And after 1 minute blank page I'd gone for me! This blank page is not permanent.

            This condition may be reversed after a few minutes and crash on the correct browser and be fixed on another one.

            There are no errors in Laravel and the server Log, whether based on Memory Limited or other things, Laravel can write errors because normal errors are stored in Laravel Error Log, but I did not see any error that explains this White Page.

            And this problem does not exist when one user is working with the site, but when there are More than One user, this error occurs for some of them and after some minutes it's gone !!!

            This is my website details:

            ...

            ANSWER

            Answered 2021-Oct-08 at 18:52

            The first line from the server error logs you provided is a ModSecurity log line. We can see that the Comodo WAF is in use:

            Source https://stackoverflow.com/questions/69493152

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            No vulnerabilities reported

            Install ModSecurity

            You can download it from GitHub.

            Support

            The library documentation is written within the code in Doxygen format. To generate this documentation, please use the doxygen utility with the provided configuration file, “doxygen.cfg”, located with the "doc/" subfolder. This will generate HTML formatted documentation including usage examples.
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
            CLONE
          • HTTPS

            https://github.com/SpiderLabs/ModSecurity.git

          • CLI

            gh repo clone SpiderLabs/ModSecurity

          • sshUrl

            git@github.com:SpiderLabs/ModSecurity.git

          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link

            Explore Related Topics

            Consider Popular Firewall Libraries

            opensnitch

            by evilsocket

            fail2ban

            by fail2ban

            TheFatRat

            by screetsec

            TheFatRat

            by Screetsec

            ModSecurity

            by SpiderLabs

            Try Top Libraries by SpiderLabs

            Responder

            by SpiderLabsPython

            owasp-modsecurity-crs

            by SpiderLabsPerl

            ModSecurity-nginx

            by SpiderLabsPerl

            HostHunter

            by SpiderLabsPython

            portia

            by SpiderLabsPowerShell