From 3284fc29e19d316b826c11cd68d300e260240029 Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Oct 17 2008 12:55:39 +0000 Subject: - new upstream release fixing bz #463459 --- diff --git a/.cvsignore b/.cvsignore index d4c7ff3..f6f5e27 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,3 +1,4 @@ prelude-lml-0.9.8.1.tar.gz prelude-lml-0.9.11.tar.gz prelude-lml-0.9.13.tar.gz +prelude-lml-0.9.14.tar.gz diff --git a/prelude-lml-0.9.12-pie.patch b/prelude-lml-0.9.12-pie.patch index 360038f..fa98eea 100644 --- a/prelude-lml-0.9.12-pie.patch +++ b/prelude-lml-0.9.12-pie.patch @@ -1,7 +1,7 @@ -diff -ur prelude-lml-0.9.12.2.orig/configure prelude-lml-0.9.12.2/configure ---- prelude-lml-0.9.12.2.orig/configure 2008-04-24 14:08:17.000000000 -0400 -+++ prelude-lml-0.9.12.2/configure 2008-04-24 15:25:29.000000000 -0400 -@@ -33196,7 +33196,7 @@ +diff -ur prelude-lml-0.9.14.orig/configure prelude-lml-0.9.14/configure +--- prelude-lml-0.9.14.orig/configure 2008-10-17 08:11:23.000000000 -0400 ++++ prelude-lml-0.9.14/configure 2008-10-17 08:51:22.000000000 -0400 +@@ -37812,7 +37812,7 @@ #AC_LANG_PUSH([C]) save_LDFLAGS="$LDFLAGS" @@ -10,10 +10,11 @@ diff -ur prelude-lml-0.9.12.2.orig/configure prelude-lml-0.9.12.2/configure cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ -diff -ur prelude-lml-0.9.12.2.orig/plugins/pcre/Makefile.in prelude-lml-0.9.12.2/plugins/pcre/Makefile.in ---- prelude-lml-0.9.12.2.orig/plugins/pcre/Makefile.in 2008-04-24 14:08:17.000000000 -0400 -+++ prelude-lml-0.9.12.2/plugins/pcre/Makefile.in 2008-04-24 15:23:24.000000000 -0400 -@@ -155,7 +155,7 @@ +Only in prelude-lml-0.9.14: configure.orig +diff -ur prelude-lml-0.9.14.orig/plugins/pcre/Makefile.in prelude-lml-0.9.14/plugins/pcre/Makefile.in +--- prelude-lml-0.9.14.orig/plugins/pcre/Makefile.in 2008-10-17 08:11:29.000000000 -0400 ++++ prelude-lml-0.9.14/plugins/pcre/Makefile.in 2008-10-17 08:51:22.000000000 -0400 +@@ -173,7 +173,7 @@ BITSIZEOF_WINT_T = @BITSIZEOF_WINT_T@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ @@ -22,15 +23,16 @@ diff -ur prelude-lml-0.9.12.2.orig/plugins/pcre/Makefile.in prelude-lml-0.9.12.2 CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CXX = @CXX@ -diff -ur prelude-lml-0.9.12.2.orig/src/Makefile.in prelude-lml-0.9.12.2/src/Makefile.in ---- prelude-lml-0.9.12.2.orig/src/Makefile.in 2008-04-24 14:08:17.000000000 -0400 -+++ prelude-lml-0.9.12.2/src/Makefile.in 2008-04-24 15:24:31.000000000 -0400 -@@ -489,7 +489,7 @@ +Only in prelude-lml-0.9.14/plugins/pcre: Makefile.in.orig +diff -ur prelude-lml-0.9.14.orig/src/Makefile.in prelude-lml-0.9.14/src/Makefile.in +--- prelude-lml-0.9.14.orig/src/Makefile.in 2008-10-17 08:11:30.000000000 -0400 ++++ prelude-lml-0.9.14/src/Makefile.in 2008-10-17 08:52:44.000000000 -0400 +@@ -592,7 +592,7 @@ target_vendor = @target_vendor@ SUBDIRS = include - AM_CPPFLAGS = -I$(srcdir)/include/ -I$(top_srcdir)/libmissing @LIBPRELUDE_CFLAGS@ @PCRE_CFLAGS@ @FAM_CFLAGS@ + AM_CPPFLAGS = -I$(srcdir)/include/ -I$(top_srcdir)/libmissing -I$(top_builddir)/libmissing -I$(top_srcdir)/libev @LIBPRELUDE_CFLAGS@ @PCRE_CFLAGS@ -AM_CFLAGS = @GLOBAL_CFLAGS@ +AM_CFLAGS = @GLOBAL_CFLAGS@ -fPIE -DPIE - prelude_lml_LDADD = @LIBPRELUDE_LIBS@ @PCRE_LIBS@ @FAM_LIBS@ $(top_builddir)/libmissing/libmissing.la - prelude_lml_LDFLAGS = @LIBPRELUDE_LDFLAGS@ @FAM_LDFLAGS@ -export-dynamic \ + prelude_lml_LDADD = @LIBPRELUDE_LIBS@ @PCRE_LIBS@ $(top_builddir)/libev/libev.la $(top_builddir)/libmissing/libmissing.la + prelude_lml_LDFLAGS = @LIBPRELUDE_LDFLAGS@ -export-dynamic \ "-dlopen" $(top_builddir)/plugins/debug/debug.la \ diff --git a/prelude-lml-0.9.13-modsecurity.patch b/prelude-lml-0.9.13-modsecurity.patch deleted file mode 100644 index d765423..0000000 --- a/prelude-lml-0.9.13-modsecurity.patch +++ /dev/null @@ -1,272 +0,0 @@ -diff -ur prelude-lml-0.9.13.orig/plugins/pcre/ruleset/modsecurity.rules prelude-lml-0.9.13/plugins/pcre/ruleset/modsecurity.rules ---- prelude-lml-0.9.13.orig/plugins/pcre/ruleset/modsecurity.rules 2008-10-11 14:30:01.000000000 -0400 -+++ prelude-lml-0.9.13/plugins/pcre/ruleset/modsecurity.rules 2008-10-11 14:33:08.000000000 -0400 -@@ -20,7 +20,7 @@ - # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. - # - ##### --# The rules developed using mod_security-2.1.6. -+# The rules developed using mod_security-2.5.6 (tested with 2.1.7 and 2.5.6) - ##### - - # Here are some example log entries that should match against rules defined below: -@@ -33,28 +33,120 @@ - # LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Operator EQ match: 0. [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [uri "/\\xc4\\x9b+\\xc5\\xa1\\xc4\\x8d\\xc5\\xa1\\xc5\\x99\\xc5\\x99\\xc4\\x8d\\xc3\\xbd\\xc3\\xbd\\xc3\\xa1"] [unique_id "pNLe4woiIjEAAF4fLq0AAAAH"] - # LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [uri "/\\xc4\\x9b+\\xc5\\xa1\\xc4\\x8d\\xc5\\xa1\\xc5\\x99\\xc5\\x99\\xc4\\x8d\\xc3\\xbd\\xc3\\xbd\\xc3\\xa1"] [unique_id "S2NY@woiIjEAAF4eLX8AAAAG"] - --# 3160-3167 --regex=\[severity "(?:EMERGENCY|ALERT|CRITICAL|ERROR)"\]; \ -- id=3160; \ -+######################## -+ -+# Protocol violation -+regex=\[id "(960911|950012|960912|960016|960011|960012|960013|950107|950801|950116|960014|960018|960901)"\]; \ -+ id=3167; \ -+ classification.text=HTTP Protocol violation; \ -+ assessment.impact.severity=medium; \ -+ additional_data(1).type=integer; \ -+ additional_data(1).meaning=ModSec Rule ID; \ -+ additional_data(1).data=$1; \ -+ chained; silent; -+ -+# Protocol anomaly -+regex=\[id "(960019|960008|960015|960009|960904|960017|960913)"\]; \ -+ id=3168; \ -+ classification.text=HTTP Protocol anomaly; \ -+ assessment.impact.severity=low; \ -+ additional_data(1).type=integer; \ -+ additional_data(1).meaning=ModSec Rule ID; \ -+ additional_data(1).data=$1; \ -+ chained; silent; -+ -+# Request limits -+regex=\[id "(960335)"\]; \ -+ id=3169; \ -+ classification.text=HTTP Request limit exceeded; \ -+ assessment.impact.severity=high; \ -+ additional_data(1).type=integer; \ -+ additional_data(1).meaning=ModSec Rule ID; \ -+ additional_data(1).data=$1; \ -+ chained; silent; -+ -+# HTTP policy -+regex=\[id "(960032|960010|960034|960035|960038|960902|960903)"\]; \ -+ id=3170; \ -+ classification.text=HTTP policy violation; \ -+ assessment.impact.severity=high; \ -+ additional_data(1).type=integer; \ -+ additional_data(1).meaning=ModSec Rule ID; \ -+ additional_data(1).data=$1; \ -+ chained; silent; -+ -+# Bad robots -+regex=\[id "(990002|990901|990902|990012|990011)"\]; \ -+ id=3171; \ -+ classification.text=Bad HTTP robot; \ -+ assessment.impact.severity=info; \ -+ additional_data(1).type=integer; \ -+ additional_data(1).meaning=ModSec Rule ID; \ -+ additional_data(1).data=$1; \ -+ chained; silent; -+ -+# Generic attacks -+regex=\[id "(959009|950007|959007|950904|959904|950001|959001|950901|959901|950906|959906|950908|959908|950004|959004|950005|959005|950002|950006|959006|950907|959907|950008|959008|950010|959010|950011|959011|950013|959013|950018|959018|950019|959019|950910|950911)"\]; \ -+ id=3172; \ -+ classification.text=Generic HTTP attack; \ -+ assessment.impact.severity=high; \ -+ additional_data(1).type=integer; \ -+ additional_data(1).meaning=ModSec Rule ID; \ -+ additional_data(1).data=$1; \ -+ chained; silent; -+ -+# Trojans -+regex=\[id "(950921|950922)"\]; \ -+ id=3173; \ -+ classification.text=HTTP trojan; \ - assessment.impact.severity=high; \ -+ additional_data(1).type=integer; \ -+ additional_data(1).meaning=ModSec Rule ID; \ -+ additional_data(1).data=$1; \ -+ chained; silent; -+ -+# Outbound -+regex=\[id "(970003|970004|970904|970007|970008|970009|970010|970012|970013|970014|970903|970015|970902|970016|970018|970901|970118|970021|970011)"\]; \ -+ id=3174; \ -+ classification.text=HTTP outbound policy violation; \ -+ assessment.impact.severity=high; \ -+ additional_data(1).type=integer; \ -+ additional_data(1).meaning=ModSec Rule ID; \ -+ additional_data(1).data=$1; \ -+ chained; silent; -+ -+######################### -+ -+# 3160-3166 -+regex=\[file "([^"]+)"\]; \ -+ id=3160; \ -+ additional_data(>>).type=string; \ -+ additional_data(-1).meaning=ModSec Ruleset File; \ -+ additional_data(-1).data=$1; \ - chained; silent; - --regex=\[severity "WARNING"\]; \ -+regex=\[line "(\d+)"\]; \ - id=3161; \ -- assessment.impact.severity=medium; \ -+ additional_data(>>).type=integer; \ -+ additional_data(-1).meaning=ModSec Ruleset Line; \ -+ additional_data(-1).data=$1; \ - chained; silent; - --regex=\[severity "NOTICE"\]; \ -+regex=\[tag "(\S+)"\]; \ - id=3162; \ -- assessment.impact.severity=low; \ -+ additional_data(>>).type=string; \ -+ additional_data(-1).meaning=ModSec Rule Tag; \ -+ additional_data(-1).data=$1; \ - chained; silent; - --regex=\[severity "(?:INFO|DEBUG)"\]; \ -+regex=\[severity "(\S+)"\]; \ - id=3163; \ -- assessment.impact.severity=info; \ -+ additional_data(>>).type=string; \ -+ additional_data(-1).meaning=ModSec Severity; \ -+ additional_data(-1).data=$1; \ - chained; silent; - --regex=\[msg "([^"]+)"\]; \ -+regex=\[msg "([^"]+)"\]; optgoto=3167-3174; min-optgoto-match=1; \ - id=3164; \ - classification.reference(0).meaning=$1; \ - classification.reference(0).origin=vendor-specific; \ -@@ -62,67 +154,89 @@ - - regex=\[hostname "(\S+)"\]; \ - id=3165; \ -- target(0).node.address(1).address=$1; \ -- chained; silent; -- --regex=\[id "(\d+)"\]; \ -- id=3166; \ -- additional_data(1).type=integer; \ -- additional_data(1).meaning=ModSec Rule ID; \ -- additional_data(1).data=$1; \ -- classification.reference(0).name=$1; \ -+ target(0).node.address(0).address=$1; \ - chained; silent; - - regex=\[unique_id "(\S+)"\]; \ -- id=3167; \ -- additional_data(2).type=string; \ -- additional_data(2).meaning=Unique ID; \ -- additional_data(2).data=$1; \ -- chained; silent; -+ id=3166; \ -+ additional_data(>>).type=string; \ -+ additional_data(-1).meaning=Unique ID; \ -+ additional_data(-1).data=$1; \ -+ chained; silent; -+ -+#regex=\[id "(\d+)"\]; \ -+# id=3166; \ -+# additional_data(1).type=integer; \ -+# additional_data(1).meaning=ModSec Rule ID; \ -+# additional_data(1).data=$1; \ -+# classification.reference(0).name=$1; \ -+# chained; silent; -+######################### - --# 3120-3121; --regex=Match of "(.+)" against "(\S+)" required\.; optgoto=3160-3167; \ -+# 3120-3125 -+regex=Match of "(.+)" against "(\S+)" required\.; optgoto=3160-3166; \ - id=3120; \ - assessment.impact.description=ModSecurity found pattern match "$1" in HTTP object $2.; \ - chained; silent; - --regex=Operator ([A-Z]{2}) match: (\d+)\.; optgoto=3160-3167; \ -+regex=Operator ([A-Z]{2}) match: (\d+)\.; optgoto=3160-3166; \ - id=3121; \ - assessment.impact.description=ModSecurity found operator "$1" match "$2".; \ - chained; silent; - --regex=Pattern match "(.+)" at (\S+)\.; optgoto=3160-3167; \ -+regex=Pattern match "(.+)" at (.+?)\.; optgoto=3160-3166; \ - id=3122; \ - assessment.impact.description=ModSecurity found pattern match "$1" in HTTP object $2.; \ - chained; silent; - -+regex=Operator ([A-Z]{2}) matched (\d+) at (\S+)\.; optgoto=3160-3166; \ -+ id=3123; \ -+ assessment.impact.description=ModSecurity found operator "$1" match "$2".; \ -+ chained; silent; -+ -+regex=Found (\d+) byte\(s\) in (\S+) outside range: (\S+)\.; optgoto=3160-3166; \ -+ id=3124; \ -+ assessment.impact.description=ModSecurity found $1 byte(s) in "$2" outside range $3.; \ -+ chained; silent; -+ -+regex=Found (\d+) byte\(s\) outside range: (\S+)\.; optgoto=3160-3166; \ -+ id=3125; \ -+ assessment.impact.description=ModSecurity found $1 byte(s) outside range $3.; \ -+ chained; silent; -+ - # 3130-3133; Access denied + ... --regex=with code (\d+) \(phase \d\)\.; optgoto=3120-3122; \ -+regex=with code (\d+) \(phase \d\)\.; optgoto=3120-3125; \ - id=3130; \ - assessment.action(0).category = block-installed; \ - assessment.action(0).description = Access was blocked with HTTP response code $1.; \ - chained; silent; - --regex=using proxy to \(phase (\d+)\) (\S+)\.; optgoto=3120-3122; \ -+regex=using proxy to \(phase (\d+)\) (\S+)\.; optgoto=3120-3125; \ - id=3131; \ - assessment.action(0).category = block-installed; \ - assessment.action(0).description = Access was denied using proxy to $2.; \ - chained; silent; - --regex=with redirection to (\S+) using status (\d+) \(phase (\d+)\)\.; optgoto=3120-3122; \ -+regex=with redirection to (\S+) using status (\d+) \(phase (\d+)\)\.; optgoto=3120-3125; \ - id=3132; \ - assessment.action(0).category = block-installed; \ - assessment.action(0).description = Access was redirected to $1.; \ - chained; silent; - --regex=with connection close \(phase (\d+)\).; optgoto=3120-3122; \ -+regex=with connection close \(phase (\d+)\).; optgoto=3120-3125; \ - id=3133; \ - assessment.action(0).category = block-installed; \ - assessment.action(0).description = Connection was closed.; \ - chained; silent; - -+# Output filter -+regex=Response body too large \(over limit of (\d+)(.+?)\)\.; optgoto=3160-3166; \ -+ id=3150; \ -+ assessment.impact.description=Response body too large (over limit of $1$2); \ -+ chained; silent; -+ - # 3100-3102 --regex=Warning\.; optgoto=3120-3121; \ -+regex=Warning\.; optgoto=3120-3125; \ - id=3101; \ - classification.text=HTTP Warning.; \ - assessment.impact.completion=succeeded; \ -@@ -134,7 +248,14 @@ - assessment.impact.completion=failed; \ - chained; silent; - --regex=\[client ([\d\.]+)\] ModSecurity:.*\[uri "([^"]+)"\]; optgoto=3101-3102; \ -+regex=Output filter:; optgoto=3150; \ -+ id=3103; \ -+ classification.text=HTTP Output filer error; \ -+ assessment.impact.completion=failed; \ -+ assessment.impact.severity=high; \ -+ chained; silent; -+ -+regex=\[client ([\d\.]+)\] ModSecurity:.*\[uri "([^"]+)"\]; optgoto=3101-3103; \ - id=3100; \ - analyzer(0).name=ModSecurity; \ - analyzer(0).manufacturer=www.modsecurity.org; \ diff --git a/prelude-lml.spec b/prelude-lml.spec index 13818e0..1bfbaaf 100644 --- a/prelude-lml.spec +++ b/prelude-lml.spec @@ -1,6 +1,6 @@ Name: prelude-lml -Version: 0.9.13 -Release: 2%{?dist} +Version: 0.9.14 +Release: 1%{?dist} Summary: The prelude log analyzer Group: System Environment/Libraries @@ -9,7 +9,6 @@ URL: http://prelude-ids.org/ Source0: http://www.prelude-ids.org/download/releases/%{name}/%{name}-%{version}.tar.gz Source1: prelude-lml.init Patch1: prelude-lml-0.9.12-pie.patch -Patch2: prelude-lml-0.9.13-modsecurity.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: gamin-devel, libprelude-devel, pcre-devel @@ -45,7 +44,6 @@ sensor. %prep %setup -q %patch1 -p1 -%patch2 -p1 sed -i.debug -e '/nlist/s|\$rm|: $rm|' ltmain.sh @@ -113,6 +111,9 @@ fi %changelog +* Fri Oct 17 2008 Steve Grubb 0.9.14-1 +- new upstream release fixing bz #463459 + * Sat Oct 11 2008 Steve Grubb 0.9.13-2 - improved mod_security rules diff --git a/sources b/sources index d83ff09..0906ff2 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -310649089740e93916af60840e405928 prelude-lml-0.9.13.tar.gz +e95c1e4c6a8f4196d87121914a4683e6 prelude-lml-0.9.14.tar.gz