I'm currently "benchmarking" gotroot modsec rules for a potential live account in the future.
I have downloaded the lastest free rules set and running debian wheesy for the tests.
apache2 -v
Server version: Apache/2.2.17 (Debian)
Server built: Apr 10 2011 18:44:46
With libapache-mod-security_2.5.9-1_i386.deb (taken from mod security website)
I have included the following gotroot's rules :
Code: Select all
Include /etc/apache2/modsecurity.d/modsecurity_crs_10_config.conf
Include /etc/apache2/modsecurity.d/05_asl_exclude.conf
Include /etc/apache2/modsecurity.d/05_asl_scanner.conf
Include /etc/apache2/modsecurity.d/10_asl_antimalware.conf
Include /etc/apache2/modsecurity.d/10_asl_rules.conf
Include /etc/apache2/modsecurity.d/20_asl_useragents.conf
Include /etc/apache2/modsecurity.d/30_asl_antispam.conf
Include /etc/apache2/modsecurity.d/50_asl_rootkits.conf
Include /etc/apache2/modsecurity.d/60_asl_recons.conf
Include /etc/apache2/modsecurity.d/99_asl_exclude.conf
Include /etc/apache2/modsecurity.d/99_asl_jitp.conf
Most of the potential standart attacks are blocked like :
Code: Select all
curl "http://192.168.200.74:8080/xss.php?arg=<script>alert ('XSS')</script>"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
...
Code: Select all
cat code_inj.php
<?php
$varerror = system('cat '.$_GET['pageid'], $valoretorno);
echo $varerror;
?>
Code: Select all
curl "http://192.168.200.74:8080/code_inj.php?pageid=plop;ls%20/"
This call is blocked though :
Code: Select all
curl "http://192.168.200.74:8080/code_inj.php?pageid=plop;cat%20/etc/passwd"
Thanks in advance,
Greg