[GPC] Seeking Java Dev help for ModSecurity Port

Ryan Barnett ryan.barnett at owasp.org
Thu Mar 31 16:15:58 EDT 2011


The ModSec CRS will be moving the licensing to Apache Software License (ASL)
v2.

As for your .NET HTTP Module port – will that also support the ModSecurity
Language (SecRule)????  :)

-Ryan

From:  "Calderon, Juan Carlos (GE, Corporate, consultant)"
<juan.calderon at ge.com>
Date:  Thu, 31 Mar 2011 16:09:32 -0400
To:  Ryan Barnett <ryan.barnett at owasp.org>, Paulo Coimbra
<paulo.coimbra at owasp.org>, Jim Manico <jim.manico at owasp.org>
Cc:  Global Projects Committee <global-projects-committee at lists.owasp.org>
Subject:  RE: Seeking Java Dev help for ModSecurity Port

> For me is fine, as long as OWASP retains attribution for it. Which I don't
> think is a problem, right? :)
>  
> BTW I am also interesting in doing the port for .NET HTTP Module, but we will
> talk about that later
>  
> Regards,
> Juan C Calderon
> 
> 
> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
> Sent: Thursday, March 31, 2011 12:00 PM
> To: Paulo Coimbra; 'Jim Manico'; Calderon, Juan Carlos (GE, Corporate,
> consultant)
> Cc: 'Global Projects Committee'
> Subject: Re: Seeking Java Dev help for ModSecurity Port
> 
> Speaking selfishly, I would love for this to be hosted under the ModSecurity
> Project link as I want to bill this as a "port" of ModSecurity to Java. :)
> 
> I will defer to Juan Carlos and Jim however as they are the leads.
> 
> -Ryan
> 
> From: Paulo Coimbra <paulo.coimbra at owasp.org>
> Date: Thu, 31 Mar 2011 18:46:12 +0100
> To: 'Jim Manico' <jim.manico at owasp.org>, "'Calderon, Juan Carlos (GE,
> Corporate, consultant)'" <juan.calderon at ge.com>
> Cc: Ryan Barnett <ryan.barnett at owasp.org>, 'Global Projects Committee'
> <global-projects-committee at lists.owasp.org>
> Subject: RE: Seeking Java Dev help for ModSecurity Port
> 
>>  
>>   
>>  
>>  
>> 
>> Jim, Juan &  Ryan,
>>  
>>  
>> It’s always a pleasure setting  up a project for any of you distinguished
>> OWASP contributors and leaders. I  propose though you firstly send us off a
>> couple of lines defining the  project’s purpose and a roadmap. If you agree
>> with doing so it will allow the  GPC acting in accordance with its mission
>> i.e. “(...) the GPC shall provide  support and direction for new projects.
>> (...)”. Additionally from what I’ve  understood from the thread below, I was
>> unsure whether or not this new project  could be placed under a broaden Java
>> Project hat or if it could be hosted in a  common root link also shared by
>> the ModSecurity Core Rule Set Project – does  my interrogation make any
>> sense?
>>  
>>  
>> http://www.owasp.org/index.php/OWASP_Java_Project
>>  
>>  
>> http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Proje
>> ct  
>>  
>>  
>> Please note that my above path  proposal doesn’t intend at all to impose any
>> kind of constraint to OWASP  contributors’ initiative and therefore if you
>> think is best that I set the  templates right now before further input being
>> put available, as long as GPC  also agrees, it will be done. Truly I am just
>> looking for an approach to allow  us a shared effort to create as much value
>> and synergies as  possible.
>>  
>>  
>> PS. Pablo is fine and, happy  for being in people’s minds, sends regards J
>>  
>>  
>> 
>>  
>> Thanks,
>>  
>> - Paulo
>>  
>>  
>>  
>> Paulo  Coimbra,
>>  
>> OWASP Project Manager <http://www.owasp.org/index.php/User:Paulo_Coimbra>
>>  
>>  
>>  
>>  
>>  
>> 
>> From: Jim  Manico [mailto:jim.manico at owasp.org]
>> Sent: quarta-feira, 30 de Março de 2011 21:31
>> To:  Calderon, Juan Carlos (GE, Corporate, consultant)
>> Cc: Ryan Barnett;  Paulo Coimbra
>> Subject: Re: Seeking Java Dev help for ModSecurity  Port
>>  
>>  
>> Paulo,
>>  
>>  
>> We would like to start a new project -
>>  
>>  
>> "The OWASP Java Web Application Firewall"
>>  
>>  
>> Could you send us a project template please? And could  you tell Pablo hello
>> for us? (joking ;)
>>  
>>  
>> Thanks all.
>>  
>> - Jim
>>  
>>  
>> PS: Juan Carlos - I'm so very grateful someone of your  skill is jumping in
>> to  help us!!!
>>  
>>  
>>> > Not yet, there is not even a project page so far,  as this is very new.
>>  
>>> > 
>>  
>>> > We should let Pablo know about this "new" project.  Would you do it Jim
>>  
>>> > or should I do it?
>>  
>>> > 
>>  
>>> > Regards,
>>  
>>> > Juan C Calderon
>>  
>>> > Softtek GDC Aguascalientes
>>  
>>> > 
>>  
>>> > -----Original Message-----
>>  
>>> > From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>  
>>> > Sent: Wednesday, March 30, 2011 1:20  PM
>>  
>>> > To: Calderon, Juan Carlos (GE, Corporate,  consultant); Jim Manico
>>  
>>> > Subject: Re: Seeking Java Dev help for ModSecurity  Port
>>  
>>> > 
>>  
>>> > Should I CC Arshan on this topic?  Or is there  an owasp-java-waf
>>  
>>> > mail-list?
>>  
>>> > 
>>  
>>> > -Ryan
>>  
>>> > 
>>  
>>> > On 3/30/11 12:00 PM, "Calderon, Juan Carlos (GE,  Corporate, consultant)"
>>  
>>> > <juan.calderon at ge.com>  wrote:
>>  
>>> > 
>>  
>>>> >> It's OK for me, the more visibility I get on  the OWASP WAF the
>>  
>>>> >> better, I expect some people get interested and  test it on real world.
>>  
>>>> >> 
>>  
>>>> >> Regards,
>>  
>>>> >> Juan C Calderon
>>  
>>>> >> 
>>  
>>>> >> -----Original Message-----
>>  
>>>> >> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>  
>>>> >> Sent: Wednesday, March 30, 2011 9:51  AM
>>  
>>>> >> To: Calderon, Juan Carlos (GE, Corporate,  consultant); Jim Manico
>>  
>>>> >> Subject: Re: Seeking Java Dev help for  ModSecurity Port
>>  
>>>> >> 
>>  
>>>> >> Awesome news Juan Carlos!  We are putting  together a minimum spec for
>>  
>>>> >> porting/supporting the rules language.  I  will let you know as soon
>>  
>>>> >> as we have it.  You are right though that  it will be a a subset of
>>  
>>>> >> variables and operators.
>>  
>>>> >> 
>>  
>>>> >> Is it OK with you both if I announce this to  the leaders list?
>>  
>>>> >> 
>>  
>>>> >> Cheers,
>>  
>>>> >> Ryan
>>  
>>>> >> 
>>  
>>>> >> On 3/30/11 11:03 AM, "Calderon, Juan Carlos  (GE, Corporate,
>>  
>>> > consultant)"
>>  
>>>> >> <juan.calderon at ge.com>  wrote:
>>  
>>>> >> 
>>  
>>>>> >>> I make sense to me and I agree, adding  support for a basic set of
>>  
>>>>> >>> ModSecurity rules will also make it easier  to maintain that
>>  
>>>>> >>> compatibility.
>>  
>>>>> >>> 
>>  
>>>>> >>> Ok I will plan to add support in the next  release for SecRule with a
>>  
>>>>> >>> limited number of variables and operators  (to begin with), and maybe
>>  
>>>>> >>> include the rule updater as  well.
>>  
>>>>> >>> 
>>  
>>>>> >>> Do you have any BNF of Rules grammar? I  could use that to create a
>>  
>>>>> >>> rule
>>  
>>>> >> 
>>  
>>>>> >>> parser.
>>  
>>>>> >>> 
>>  
>>>>> >>> Regards,
>>  
>>>>> >>> Juan C Calderon
>>  
>>>>> >>> 
>>  
>>>>> >>> -----Original Message-----
>>  
>>>>> >>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>  
>>>>> >>> Sent: Wednesday, March 30, 2011 8:45  AM
>>  
>>>>> >>> To: Calderon, Juan Carlos (GE, Corporate,  consultant); Jim Manico
>>  
>>>>> >>> Subject: Re: Seeking Java Dev help for  ModSecurity Port
>>  
>>>>> >>> 
>>  
>>>>> >>> I agree with you that creating similar  OWASP WAF policies to match
>>  
>>>>> >>> what
>>  
>>>> >> 
>>  
>>>>> >>> is in the OWASP ModSec CRS would be faster,  however that is not my
>>  
>>>>> >>> goal
>>  
>>>>> >>> :)  I am looking for "ports" of  ModSecurity to different platforms.
>>  
>>>>> >>> They way it stands today, if someone is  running a Java server
>>  
>>>>> >>> (Tomcat,
>>  
>>>>> >>> etc...) and they want to use ModSecurity,  they have to setup a local
>>  
>>>>> >>> Apache reverse proxy with ModSec on it and  then setup Tomcat on a
>>  
>>>>> >>> different port and proxy to it.  This  is kludgy...  While I agree
>>  
>>>>> >>> that
>>  
>>> > 
>>  
>>>>> >>> you could get similar coverage by expanding  the OWASP WAF policies
>>  
>>>>> >>> to detect similar attacks, the key to an  actual "port" is using the
>>  
>>>>> >>> ModSecurity rule language.  This would  allow Java app server users
>>  
>>>>> >>> to use the OWASP ModSec CRS  rules.
>>  
>>>>> >>> 
>>  
>>>>> >>> One thing to keep in mind - you don't have  to implement all ModSec
>>  
>>>>> >>> functionality for a v1 port.  We are  working on documenting a "Core"
>>  
>>>>> >>> spec that outlines what base capabilities  you would need.  The main
>>  
>>>>> >>> ones are use of SecRule -
>>  
>>>>> >>> https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=
>>  
>>>>> >>> Re
>>  
>>>>> >>> f
>>  
>>>>> >>> e
>>  
>>>>> >>> ren
>>  
>>>>> >>> ce_Manual#SecRule
>>  
>>>>> >>> 
>>  
>>>>> >>> Does this make sense?
>>  
>>>>> >>> 
>>  
>>>>> >>> -Ryan
>>  
>>>>> >>> 
>>  
>>>>> >>> On 3/29/11 8:35 PM, "Calderon, Juan Carlos  (GE, Corporate,
>>  
>>> > consultant)"
>>  
>>>>> >>> <juan.calderon at ge.com>  wrote:
>>  
>>>>> >>> 
>>  
>>>>>> >>>> Ok I just checked the documentation, I  think the best approach to
>>  
>>>>>> >>>> get
>>  
>>> > 
>>  
>>>>>> >>>> the faster resultis to create a  ModSecurity WAF policy containing
>>  
>>>>>> >>>> equivalent OWASP WAF rules. Creating a  parser for ModSecurity Rules
>>  
>>>>>> >>>> will be much harder.
>>  
>>>>>> >>>> 
>>  
>>>>>> >>>> What do you think?
>>  
>>>>>> >>>> 
>>  
>>>>>> >>>> Regards,
>>  
>>>>>> >>>> Juan C Calderon
>>  
>>>>>> >>>> 
>>  
>>>>>> >>>> -----Original  Message-----
>>  
>>>>>> >>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>  
>>>>>> >>>> Sent: Tuesday, March 29, 2011 11:16  AM
>>  
>>>>>> >>>> To: Calderon, Juan Carlos (GE,  Corporate, consultant); Jim Manico
>>  
>>>>>> >>>> Subject: Re: Seeking Java Dev help for  ModSecurity Port
>>  
>>>>>> >>>> 
>>  
>>>>>> >>>> Outstanding!  Thanks Juan  Carlos.
>>  
>>>>>> >>>> 
>>  
>>>>>> >>>> FYI - check out the "Ports" section of  our Projects page to see
>>  
>>>>>> >>>> what other ports are in progress/on the  roadmap -
>>  
>>>>>> >>>> http://www.modsecurity.org/projects/
>>  
>>>>>> >>>> 
>>  
>>>>>> >>>> We have a really old Java Servlet  Filter version of ModSecurity
>>  
>>>>>> >>>> that may be of some help.  I think  that updating the current
>>  
>>>>>> >>>> owasp-java-waf
>>  
>>>> >> 
>>  
>>>>>> >>>> code would probably be better though as  the version we had uses the
>>  
>>>>>> >>>> old
>>  
>>>>> >>> 
>>  
>>>>>> >>>> ModSecurity v.1 rules language  syntax.
>>  
>>>>>> >>>> 
>>  
>>>>>> >>>> If you look at the link for "Sun Java  Web Server Version 7.0 Update
>>  
>>>>>> >>>> 2
>>  
>>> > 
>>  
>>>>>> >>>> link
>>  
>>>>>> >>>> - http://blogs.sun.com/meena/entry/intrusion_detection_in_sun_java
>>  
>>>>>> >>>> - you can see the ModSecurity rules  language components they have
>>  
>>>>>> >>>> implemented thus far.
>>  
>>>>>> >>>> 
>>  
>>>>>> >>>> Let me know if you need any  help!
>>  
>>>>>> >>>> 
>>  
>>>>>> >>>> Thanks again,
>>  
>>>>>> >>>> Ryan
>>  
>>>>>> >>>> 
>>  
>>>>>> >>>> On 3/29/11 1:10 PM, "Calderon, Juan  Carlos (GE, Corporate,
>>  
>>>> >> consultant)"
>>  
>>>>>> >>>> <juan.calderon at ge.com>  wrote:
>>  
>>>>>> >>>> 
>>  
>>>>>>> >>>>> @Ryan, hello again villa-mate  :)
>>  
>>>>>>> >>>>> 
>>  
>>>>>>> >>>>> @Jim, Yes I do have interest in  continuing with this effort at
>>  
>>>>>>> >>>>> least
>>  
>>> > 
>>  
>>>>>>> >>>>> to
>>  
>>>>>> >>>> 
>>  
>>>>>>> >>>>> make the WAF reach release  level.
>>  
>>>>>>> >>>>> 
>>  
>>>>>>> >>>>> Let me give the rules a look to see  what would it take to
>>  
>>>>>>> >>>>> implement them in the OWASP Java  WAF.
>>  
>>>>>>> >>>>> 
>>  
>>>>>>> >>>>> Regards,
>>  
>>>>>>> >>>>> Juan C Calderon
>>  
>>>>>>> >>>>> 
>>  
>>>>>>> >>>>> -----Original  Message-----
>>  
>>>>>>> >>>>> From: Ryan Barnett [mailto:ryan.barnett at owasp.org]
>>  
>>>>>>> >>>>> Sent: Tuesday, March 29, 2011 11:02  AM
>>  
>>>>>>> >>>>> To: Jim Manico; Calderon, Juan  Carlos (GE, Corporate, consultant)
>>  
>>>>>>> >>>>> Subject: Re: Seeking Java Dev help  for ModSecurity Port
>>  
>>>>>>> >>>>> 
>>  
>>>>>>> >>>>> Ha, Juan Carlos and I were Villa  mates in Portugal! :)
>>  
>>>>>>> >>>>> 
>>  
>>>>>>> >>>>> Juan Carlos - let me know what you  think about the idea of
>>  
>>>>>>> >>>>> updating the
>>  
>>>>>> >>>> 
>>  
>>>>>>> >>>>> owasp-java-waf code to be able to  use the ModSecurity Rules
>>  
>>>>>>> >>>>> Language
>>  
>>> > 
>>  
>>>>>>> >>>>> syntax (SecRules,  etc...).
>>  
>>>>>>> >>>>> 
>>  
>>>>>>> >>>>> Thanks,
>>  
>>>>>>> >>>>> Ryan
>>  
>>>>>>> >>>>> 
>>  
>>>>>>> >>>>> On 3/29/11 12:56 PM, "Jim Manico"  <jim.manico at owasp.org>  wrote:
>>  
>>>>>>> >>>>> 
>>  
>>>>>>>> >>>>>> On 3/29/2011 9:46 AM, Ryan  Barnett wrote:
>>  
>>>>>>>>> >>>>>>> Yeah,
>>  
>>>>>>>>> >>>>>>> Let's see if we can move  forward with the idea of migrating
>>  
>>>>>>>>> >>>>>>> ESAPI
>>  
>>> > 
>>  
>>>>>>>>> >>>>>>> WAF
>>  
>>>>>>> >>>>> 
>>  
>>>>>>>>> >>>>>>> to be a stand-alone  project.  Then the Java lead (whoever
that
>>  
>>>>>>>>> >>>>>>> is)
>>  
>>>> >> 
>>  
>>>>>>>>> >>>>>>> can implement the  ModSecurity rules language and redub it
>>  
>>>>>>>>> >>>>>>> "ModSecurity Java Servlet  WAF".
>>  
>>>>>>>> >>>>>> 
>>  
>>>>>>>> >>>>>> 
>>  
>>>>>>>> >>>>>> The migration to a standalone  project is already done, Ryan -
>>  
>>>>>>>> >>>>>> meet Juan
>>  
>>>>>>> >>>>> 
>>  
>>>>>>>> >>>>>> Carlos Calderon; he is "by  default" the current owner of the
>>  
>>>>>>>> >>>>>> owasp-java-waf project  :)
>>  
>>>>>>>> >>>>>> 
>>  
>>>>>>>> >>>>>> http://code.google.com/p/owasp-java-waf/
>>  
>>>>>>>> >>>>>> 
>>  
>>>>>>>> >>>>>> As you can see, we have work to  do :)
>>  
>>>>>>>> >>>>>> 
>>  
>>>>>>>> >>>>>> Juan Carlos - meet Ryan  Barnett. Ryan is one of the most
>>  
>>>>>>>> >>>>>> respected WAF'ers on the  planet. He is currently the leaders of
>>  
>>>>>>>> >>>>>> the OWASP ModSecurity Core  Ruleset.
>>  
>>>>>>>> >>>>>> 
>>  
>>>>>>>> >>>>>> Juan Carlos, do you have any  interest in continuing to work on
>>  
>>>>>>>> >>>>>> this
>>  
>>> > 
>>  
>>>>>>>> >>>>>> project sir?
>>  
>>>>>>>> >>>>>> 
>>  
>>>>>>>> >>>>>> Aloha!
>>  
>>>>>>>> >>>>>> - Jim
>>  
>>>>>>> >>>>> 
>>  
>>>>>>> >>>>> 
>>  
>>>>>> >>>> 
>>  
>>>>>> >>>> 
>>  
>>>>> >>> 
>>  
>>>>> >>> 
>>  
>>>> >> 
>>  
>>>> >> 
>>  
>>> > 
>>  
>>> > 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global-projects-committee/attachments/20110331/1506ee39/attachment-0001.html 


More information about the Global-projects-committee mailing list