[GPC] Seeking Java Dev help for ModSecurity Port
Ryan Barnett
ryan.barnett at owasp.org
Thu Mar 31 16:15:58 EDT 2011
The ModSec CRS will be moving the licensing to Apache Software License (ASL)
v2.
As for your .NET HTTP Module port – will that also support the ModSecurity
Language (SecRule)???? :)
-Ryan
From: "Calderon, Juan Carlos (GE, Corporate, consultant)"
<juan.calderon at ge.com>
Date: Thu, 31 Mar 2011 16:09:32 -0400
To: Ryan Barnett <ryan.barnett at owasp.org>, Paulo Coimbra
<paulo.coimbra at owasp.org>, Jim Manico <jim.manico at owasp.org>
Cc: Global Projects Committee <global-projects-committee at lists.owasp.org>
Subject: RE: Seeking Java Dev help for ModSecurity Port
> For me is fine, as long as OWASP retains attribution for it. Which I don't
> think is a problem, right? :)
>
> BTW I am also interesting in doing the port for .NET HTTP Module, but we will
> talk about that later
>
> Regards,
> Juan C Calderon
>
>
> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
> Sent: Thursday, March 31, 2011 12:00 PM
> To: Paulo Coimbra; 'Jim Manico'; Calderon, Juan Carlos (GE, Corporate,
> consultant)
> Cc: 'Global Projects Committee'
> Subject: Re: Seeking Java Dev help for ModSecurity Port
>
> Speaking selfishly, I would love for this to be hosted under the ModSecurity
> Project link as I want to bill this as a "port" of ModSecurity to Java. :)
>
> I will defer to Juan Carlos and Jim however as they are the leads.
>
> -Ryan
>
> From: Paulo Coimbra <paulo.coimbra at owasp.org>
> Date: Thu, 31 Mar 2011 18:46:12 +0100
> To: 'Jim Manico' <jim.manico at owasp.org>, "'Calderon, Juan Carlos (GE,
> Corporate, consultant)'" <juan.calderon at ge.com>
> Cc: Ryan Barnett <ryan.barnett at owasp.org>, 'Global Projects Committee'
> <global-projects-committee at lists.owasp.org>
> Subject: RE: Seeking Java Dev help for ModSecurity Port
>
>>
>>
>>
>>
>>
>> Jim, Juan & Ryan,
>>
>>
>> It’s always a pleasure setting up a project for any of you distinguished
>> OWASP contributors and leaders. I propose though you firstly send us off a
>> couple of lines defining the project’s purpose and a roadmap. If you agree
>> with doing so it will allow the GPC acting in accordance with its mission
>> i.e. “(...) the GPC shall provide support and direction for new projects.
>> (...)”. Additionally from what I’ve understood from the thread below, I was
>> unsure whether or not this new project could be placed under a broaden Java
>> Project hat or if it could be hosted in a common root link also shared by
>> the ModSecurity Core Rule Set Project – does my interrogation make any
>> sense?
>>
>>
>> http://www.owasp.org/index.php/OWASP_Java_Project
>>
>>
>> http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Proje
>> ct
>>
>>
>> Please note that my above path proposal doesn’t intend at all to impose any
>> kind of constraint to OWASP contributors’ initiative and therefore if you
>> think is best that I set the templates right now before further input being
>> put available, as long as GPC also agrees, it will be done. Truly I am just
>> looking for an approach to allow us a shared effort to create as much value
>> and synergies as possible.
>>
>>
>> PS. Pablo is fine and, happy for being in people’s minds, sends regards J
>>
>>
>>
>>
>> Thanks,
>>
>> - Paulo
>>
>>
>>
>> Paulo Coimbra,
>>
>> OWASP Project Manager <http://www.owasp.org/index.php/User:Paulo_Coimbra>
>>
>>
>>
>>
>>
>>
>> From: Jim Manico [mailto:jim.manico at owasp.org]
>> Sent: quarta-feira, 30 de Março de 2011 21:31
>> To: Calderon, Juan Carlos (GE, Corporate, consultant)
>> Cc: Ryan Barnett; Paulo Coimbra
>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>
>>
>> Paulo,
>>
>>
>> We would like to start a new project -
>>
>>
>> "The OWASP Java Web Application Firewall"
>>
>>
>> Could you send us a project template please? And could you tell Pablo hello
>> for us? (joking ;)
>>
>>
>> Thanks all.
>>
>> - Jim
>>
>>
>> PS: Juan Carlos - I'm so very grateful someone of your skill is jumping in
>> to help us!!!
>>
>>
>>> > Not yet, there is not even a project page so far, as this is very new.
>>
>>> >
>>
>>> > We should let Pablo know about this "new" project. Would you do it Jim
>>
>>> > or should I do it?
>>
>>> >
>>
>>> > Regards,
>>
>>> > Juan C Calderon
>>
>>> > Softtek GDC Aguascalientes
>>
>>> >
>>
>>> > -----Original Message-----
>>
>>> > From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>
>>> > Sent: Wednesday, March 30, 2011 1:20 PM
>>
>>> > To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
>>
>>> > Subject: Re: Seeking Java Dev help for ModSecurity Port
>>
>>> >
>>
>>> > Should I CC Arshan on this topic? Or is there an owasp-java-waf
>>
>>> > mail-list?
>>
>>> >
>>
>>> > -Ryan
>>
>>> >
>>
>>> > On 3/30/11 12:00 PM, "Calderon, Juan Carlos (GE, Corporate, consultant)"
>>
>>> > <juan.calderon at ge.com> wrote:
>>
>>> >
>>
>>>> >> It's OK for me, the more visibility I get on the OWASP WAF the
>>
>>>> >> better, I expect some people get interested and test it on real world.
>>
>>>> >>
>>
>>>> >> Regards,
>>
>>>> >> Juan C Calderon
>>
>>>> >>
>>
>>>> >> -----Original Message-----
>>
>>>> >> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>
>>>> >> Sent: Wednesday, March 30, 2011 9:51 AM
>>
>>>> >> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
>>
>>>> >> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>
>>>> >>
>>
>>>> >> Awesome news Juan Carlos! We are putting together a minimum spec for
>>
>>>> >> porting/supporting the rules language. I will let you know as soon
>>
>>>> >> as we have it. You are right though that it will be a a subset of
>>
>>>> >> variables and operators.
>>
>>>> >>
>>
>>>> >> Is it OK with you both if I announce this to the leaders list?
>>
>>>> >>
>>
>>>> >> Cheers,
>>
>>>> >> Ryan
>>
>>>> >>
>>
>>>> >> On 3/30/11 11:03 AM, "Calderon, Juan Carlos (GE, Corporate,
>>
>>> > consultant)"
>>
>>>> >> <juan.calderon at ge.com> wrote:
>>
>>>> >>
>>
>>>>> >>> I make sense to me and I agree, adding support for a basic set of
>>
>>>>> >>> ModSecurity rules will also make it easier to maintain that
>>
>>>>> >>> compatibility.
>>
>>>>> >>>
>>
>>>>> >>> Ok I will plan to add support in the next release for SecRule with a
>>
>>>>> >>> limited number of variables and operators (to begin with), and maybe
>>
>>>>> >>> include the rule updater as well.
>>
>>>>> >>>
>>
>>>>> >>> Do you have any BNF of Rules grammar? I could use that to create a
>>
>>>>> >>> rule
>>
>>>> >>
>>
>>>>> >>> parser.
>>
>>>>> >>>
>>
>>>>> >>> Regards,
>>
>>>>> >>> Juan C Calderon
>>
>>>>> >>>
>>
>>>>> >>> -----Original Message-----
>>
>>>>> >>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>
>>>>> >>> Sent: Wednesday, March 30, 2011 8:45 AM
>>
>>>>> >>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
>>
>>>>> >>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>
>>>>> >>>
>>
>>>>> >>> I agree with you that creating similar OWASP WAF policies to match
>>
>>>>> >>> what
>>
>>>> >>
>>
>>>>> >>> is in the OWASP ModSec CRS would be faster, however that is not my
>>
>>>>> >>> goal
>>
>>>>> >>> :) I am looking for "ports" of ModSecurity to different platforms.
>>
>>>>> >>> They way it stands today, if someone is running a Java server
>>
>>>>> >>> (Tomcat,
>>
>>>>> >>> etc...) and they want to use ModSecurity, they have to setup a local
>>
>>>>> >>> Apache reverse proxy with ModSec on it and then setup Tomcat on a
>>
>>>>> >>> different port and proxy to it. This is kludgy... While I agree
>>
>>>>> >>> that
>>
>>> >
>>
>>>>> >>> you could get similar coverage by expanding the OWASP WAF policies
>>
>>>>> >>> to detect similar attacks, the key to an actual "port" is using the
>>
>>>>> >>> ModSecurity rule language. This would allow Java app server users
>>
>>>>> >>> to use the OWASP ModSec CRS rules.
>>
>>>>> >>>
>>
>>>>> >>> One thing to keep in mind - you don't have to implement all ModSec
>>
>>>>> >>> functionality for a v1 port. We are working on documenting a "Core"
>>
>>>>> >>> spec that outlines what base capabilities you would need. The main
>>
>>>>> >>> ones are use of SecRule -
>>
>>>>> >>> https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=
>>
>>>>> >>> Re
>>
>>>>> >>> f
>>
>>>>> >>> e
>>
>>>>> >>> ren
>>
>>>>> >>> ce_Manual#SecRule
>>
>>>>> >>>
>>
>>>>> >>> Does this make sense?
>>
>>>>> >>>
>>
>>>>> >>> -Ryan
>>
>>>>> >>>
>>
>>>>> >>> On 3/29/11 8:35 PM, "Calderon, Juan Carlos (GE, Corporate,
>>
>>> > consultant)"
>>
>>>>> >>> <juan.calderon at ge.com> wrote:
>>
>>>>> >>>
>>
>>>>>> >>>> Ok I just checked the documentation, I think the best approach to
>>
>>>>>> >>>> get
>>
>>> >
>>
>>>>>> >>>> the faster resultis to create a ModSecurity WAF policy containing
>>
>>>>>> >>>> equivalent OWASP WAF rules. Creating a parser for ModSecurity Rules
>>
>>>>>> >>>> will be much harder.
>>
>>>>>> >>>>
>>
>>>>>> >>>> What do you think?
>>
>>>>>> >>>>
>>
>>>>>> >>>> Regards,
>>
>>>>>> >>>> Juan C Calderon
>>
>>>>>> >>>>
>>
>>>>>> >>>> -----Original Message-----
>>
>>>>>> >>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>
>>>>>> >>>> Sent: Tuesday, March 29, 2011 11:16 AM
>>
>>>>>> >>>> To: Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
>>
>>>>>> >>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>
>>>>>> >>>>
>>
>>>>>> >>>> Outstanding! Thanks Juan Carlos.
>>
>>>>>> >>>>
>>
>>>>>> >>>> FYI - check out the "Ports" section of our Projects page to see
>>
>>>>>> >>>> what other ports are in progress/on the roadmap -
>>
>>>>>> >>>> http://www.modsecurity.org/projects/
>>
>>>>>> >>>>
>>
>>>>>> >>>> We have a really old Java Servlet Filter version of ModSecurity
>>
>>>>>> >>>> that may be of some help. I think that updating the current
>>
>>>>>> >>>> owasp-java-waf
>>
>>>> >>
>>
>>>>>> >>>> code would probably be better though as the version we had uses the
>>
>>>>>> >>>> old
>>
>>>>> >>>
>>
>>>>>> >>>> ModSecurity v.1 rules language syntax.
>>
>>>>>> >>>>
>>
>>>>>> >>>> If you look at the link for "Sun Java Web Server Version 7.0 Update
>>
>>>>>> >>>> 2
>>
>>> >
>>
>>>>>> >>>> link
>>
>>>>>> >>>> - http://blogs.sun.com/meena/entry/intrusion_detection_in_sun_java
>>
>>>>>> >>>> - you can see the ModSecurity rules language components they have
>>
>>>>>> >>>> implemented thus far.
>>
>>>>>> >>>>
>>
>>>>>> >>>> Let me know if you need any help!
>>
>>>>>> >>>>
>>
>>>>>> >>>> Thanks again,
>>
>>>>>> >>>> Ryan
>>
>>>>>> >>>>
>>
>>>>>> >>>> On 3/29/11 1:10 PM, "Calderon, Juan Carlos (GE, Corporate,
>>
>>>> >> consultant)"
>>
>>>>>> >>>> <juan.calderon at ge.com> wrote:
>>
>>>>>> >>>>
>>
>>>>>>> >>>>> @Ryan, hello again villa-mate :)
>>
>>>>>>> >>>>>
>>
>>>>>>> >>>>> @Jim, Yes I do have interest in continuing with this effort at
>>
>>>>>>> >>>>> least
>>
>>> >
>>
>>>>>>> >>>>> to
>>
>>>>>> >>>>
>>
>>>>>>> >>>>> make the WAF reach release level.
>>
>>>>>>> >>>>>
>>
>>>>>>> >>>>> Let me give the rules a look to see what would it take to
>>
>>>>>>> >>>>> implement them in the OWASP Java WAF.
>>
>>>>>>> >>>>>
>>
>>>>>>> >>>>> Regards,
>>
>>>>>>> >>>>> Juan C Calderon
>>
>>>>>>> >>>>>
>>
>>>>>>> >>>>> -----Original Message-----
>>
>>>>>>> >>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>
>>>>>>> >>>>> Sent: Tuesday, March 29, 2011 11:02 AM
>>
>>>>>>> >>>>> To: Jim Manico; Calderon, Juan Carlos (GE, Corporate, consultant)
>>
>>>>>>> >>>>> Subject: Re: Seeking Java Dev help for ModSecurity Port
>>
>>>>>>> >>>>>
>>
>>>>>>> >>>>> Ha, Juan Carlos and I were Villa mates in Portugal! :)
>>
>>>>>>> >>>>>
>>
>>>>>>> >>>>> Juan Carlos - let me know what you think about the idea of
>>
>>>>>>> >>>>> updating the
>>
>>>>>> >>>>
>>
>>>>>>> >>>>> owasp-java-waf code to be able to use the ModSecurity Rules
>>
>>>>>>> >>>>> Language
>>
>>> >
>>
>>>>>>> >>>>> syntax (SecRules, etc...).
>>
>>>>>>> >>>>>
>>
>>>>>>> >>>>> Thanks,
>>
>>>>>>> >>>>> Ryan
>>
>>>>>>> >>>>>
>>
>>>>>>> >>>>> On 3/29/11 12:56 PM, "Jim Manico" <jim.manico at owasp.org> wrote:
>>
>>>>>>> >>>>>
>>
>>>>>>>> >>>>>> On 3/29/2011 9:46 AM, Ryan Barnett wrote:
>>
>>>>>>>>> >>>>>>> Yeah,
>>
>>>>>>>>> >>>>>>> Let's see if we can move forward with the idea of migrating
>>
>>>>>>>>> >>>>>>> ESAPI
>>
>>> >
>>
>>>>>>>>> >>>>>>> WAF
>>
>>>>>>> >>>>>
>>
>>>>>>>>> >>>>>>> to be a stand-alone project. Then the Java lead (whoever
that
>>
>>>>>>>>> >>>>>>> is)
>>
>>>> >>
>>
>>>>>>>>> >>>>>>> can implement the ModSecurity rules language and redub it
>>
>>>>>>>>> >>>>>>> "ModSecurity Java Servlet WAF".
>>
>>>>>>>> >>>>>>
>>
>>>>>>>> >>>>>>
>>
>>>>>>>> >>>>>> The migration to a standalone project is already done, Ryan -
>>
>>>>>>>> >>>>>> meet Juan
>>
>>>>>>> >>>>>
>>
>>>>>>>> >>>>>> Carlos Calderon; he is "by default" the current owner of the
>>
>>>>>>>> >>>>>> owasp-java-waf project :)
>>
>>>>>>>> >>>>>>
>>
>>>>>>>> >>>>>> http://code.google.com/p/owasp-java-waf/
>>
>>>>>>>> >>>>>>
>>
>>>>>>>> >>>>>> As you can see, we have work to do :)
>>
>>>>>>>> >>>>>>
>>
>>>>>>>> >>>>>> Juan Carlos - meet Ryan Barnett. Ryan is one of the most
>>
>>>>>>>> >>>>>> respected WAF'ers on the planet. He is currently the leaders of
>>
>>>>>>>> >>>>>> the OWASP ModSecurity Core Ruleset.
>>
>>>>>>>> >>>>>>
>>
>>>>>>>> >>>>>> Juan Carlos, do you have any interest in continuing to work on
>>
>>>>>>>> >>>>>> this
>>
>>> >
>>
>>>>>>>> >>>>>> project sir?
>>
>>>>>>>> >>>>>>
>>
>>>>>>>> >>>>>> Aloha!
>>
>>>>>>>> >>>>>> - Jim
>>
>>>>>>> >>>>>
>>
>>>>>>> >>>>>
>>
>>>>>> >>>>
>>
>>>>>> >>>>
>>
>>>>> >>>
>>
>>>>> >>>
>>
>>>> >>
>>
>>>> >>
>>
>>> >
>>
>>> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global-projects-committee/attachments/20110331/1506ee39/attachment-0001.html
More information about the Global-projects-committee
mailing list