Re: [Owasp-modsecurity-core-rule-set] Testing Custom Rules

Thu, 05 May 2011 09:41:49 -0700 

Hi Ken,

your question is hitting the spot. Currently there is no such test engine 
available.
I've done some work on that by implementing a TestClient in Java, which 
basically
can re-inject all requests from a recorded ModSecurity audit-log.

I've had plans (and started some of that) to implement an "X"-Section which can 
be
used to define "expected behaviour". For example, you could add some tests like:

     RESPONSE_STATUS @eq 404
     RESPONSE_BODY "@rx !MySQL Error"
     ...

However, since such a test-client can only check for expected results within the
server response, this is somewhat limitted. An extension might be to connect to 
the
AuditConsole and check the resulting "newly created" audit log events for the 
requests
that are injected for testing.

If that sounds interesting to you, just drop me a line. I'd be happy to include 
such
a thing in the jwall-tools (open-source).

Chris


   

Am 05.05.2011 um 17:54 schrieb Ken Brucker:

> Hi - I have some custom rules I'd like to create and I'm looking for a test 
> engine to drive the rules and ensure I'm getting the expected results.  I 
> checked the FAQ and found this question that directly relates:
> 
>  How do I handle False Positives and creating Custom Rules?
> 
> It is inevitable; you will run into some False Positive hits when using web 
> application firewalls. This is not something that is unique to ModSecurity. 
> All web application firewalls will generate false positives from time to 
> time. The following Blog post information will help to guide you through the 
> process of identifying, fixing, implementing and testing new custom rules to 
> address false positives.
> 
> But...  the last sentence states "The following blog post information ..."  
> and there is no blog post information following.  Where do I find the 
> referenced material?
> 
> Does a test engine exist outside Apache to feed data through the rules to 
> enable easy regression testing in addition to focused testing of new rules?
> 
> Regards,
> Ken
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> [email protected]
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to