OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

was message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: WAS Protect update (Aug 19)


I have completed a large part of the WAS Protect reference
implementation (a Java Servlet Filter). The finished part is the
backend, which allows the rule engine to be built on top. I've also
tidied the spec and created the first version of the schema (attached
to this email, together with an rule example). I will look into
improving the schema to reference multiple rule databases and to
allow rule versioning.

I expect to have a fully-functional version ready in two to three weeks,
so (with some buffer added to that) I'm giving myself a deadline to
have everything ready for September 20.

One thing I cannot do by myself is test the software. The filter
must be tested with real-life applications running on different
servlet containers. The thing that needs to be tested is the
transparency. When installed with no rules, the filter must not
interfere with the application in any way. The Servlet specification
leaves some things undefined so this is where differences between
containers may come to light.

I would appreciate if some of you could help with the testing.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]





<?xml version="1.0"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema";>

    <xs:simpleType name="normalizationType">
        <xs:restriction base="xs:string">
            <xs:enumeration value="decodeURLEncoded"/>
            <xs:enumeration value="decodeURLEncodedTwice"/>
            <xs:enumeration value="decodeEscaped"/>
            <xs:enumeration value="decodeUnicode"/>
            <xs:enumeration value="decodeIISUnicode"/>
            <xs:enumeration value="compressWhitespace"/>
            <xs:enumeration value="compressMultipleSlashes"/>
            <xs:enumeration value="convertBackslashes"/>
            <xs:enumeration value="removeSelfReferences"/>
        </xs:restriction>
    </xs:simpleType>

    <xs:simpleType name="stageType">
        <xs:restriction base="xs:string">
            <xs:enumeration value="requestHeaders"/>
            <xs:enumeration value="requestBody"/>
            <xs:enumeration value="response"/>
        </xs:restriction>
    </xs:simpleType>

    <xs:simpleType name="operatorType">
        <xs:restriction base="xs:string">
            <xs:enumeration value="regex"/>
            <xs:enumeration value="nregex"/>
            <xs:enumeration value="eq"/>
            <xs:enumeration value="neq"/>
            <xs:enumeration value="ipmatch"/>
            <xs:enumeration value="nipmatch"/>
        </xs:restriction>
    </xs:simpleType>

    <xs:simpleType name="conditionType">
        <xs:restriction base="xs:string">
            <xs:enumeration value="and"/>
            <xs:enumeration value="or"/>
        </xs:restriction>
    </xs:simpleType>

    <xs:simpleType name="actionType">
        <xs:restriction base="xs:string">
            <xs:enumeration value="error"/>
            <xs:enumeration value="warning"/>
            <xs:enumeration value="notice"/>
            <xs:enumeration value="pass"/>
            <xs:enumeration value="allow"/>
        </xs:restriction>
    </xs:simpleType>

    <xs:complexType name="ruleSetType">
        <xs:sequence>
            <xs:element name="rule" type="ruleType" maxOccurs="unbounded"/>
        </xs:sequence>

        <xs:attribute name="stage" type="stageType" use="required"/>
        <xs:attribute name="action" type="actionType" use="required"/>
        <xs:attribute name="condition" type="conditionType"/>
    </xs:complexType>

    <xs:complexType name="ruleType">
            <xs:attribute name="args" type="xs:string" use="required"/>
            <xs:attribute name="operator" type="operatorType"/>
            <xs:attribute name="pattern" type="xs:string" use="required"/>
    </xs:complexType>

    <xs:complexType name="recipeType">
        <xs:sequence>
            <xs:element name="ruleSet" type="ruleSetType" maxOccurs="unbounded"/>
        </xs:sequence>
        <xs:attribute name="id" type="xs:string" use="required"/>
        <xs:attribute name="path" type="xs:string"/>
        <xs:attribute name="normalization" type="xs:string"/>
    </xs:complexType>

    <xs:element name="recipe" type="recipeType"/>

</xs:schema>


<?xml version="1.0"?>

<recipe
    id="was#12345"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
	xsi:noNamespaceSchemaLocation="wasprotect.xsd"
>

    <ruleSet
        stage="requestHeaders"
        action="error"
        condition="and"
    >

        <rule
            operator="eq"
            args="request.params.username"
            pattern="admin"
        />

        <rule
            operator="ipmatch"
            args="request.remote_addr"
            pattern="192.168.0.9/24"
        />

    </ruleSet>

</recipe>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]