Home / Browse / ModSecurity / Mail / Archive

ModSecurity

Email Archive: mod-security-users (read-only)

[mod-security-users] Query String Wildcard Params

From: entracity inc <entracity@gm...> - 2008-08-26 20:49

I'm having trouble using wildcard characters with request query parameters;
none of the following seem to accomplish what I'd like:

SecRule REQUEST_LINE "CHAR(4000);SET"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule REQUEST_LINE "DECLARE" "nolog,deny,status:501,ctl:auditEngine=Off"
SecRule REQUEST_LINE "DeCLARE" "nolog,deny,status:501,ctl:auditEngine=Off"

SecRule REQUEST_LINE "S=CAST" "nolog,deny,status:501,ctl:auditEngine=Off"
SecRule REQUEST_LINE "@contains CHAR(4000);SET"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule REQUEST_LINE "@contains DECLARE"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule REQUEST_LINE "@contains DeCLARE"
"nolog,deny,status:501,ctl:auditEngine=Off"

SecRule QUERY_STRING "S=CAST" "nolog,deny,status:501,ctl:auditEngine=Off"
SecRule QUERY_STRING "CHAR(4000)"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule QUERY_STRING ";SET" "nolog,deny,status:501,ctl:auditEngine=Off"
SecRule QUERY_STRING "DECLARE" "nolog,deny,status:501,ctl:auditEngine=Off"
SecRule QUERY_STRING "DeCLARE" "nolog,deny,status:501,ctl:auditEngine=Off"
SecRule QUERY_STRING "S=CAST" "nolog,deny,status:501,ctl:auditEngine=Off"
SecRule QUERY_STRING "@contains CHAR(4000)"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule QUERY_STRING "@contains ;SET"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule QUERY_STRING "@contains DECLARE"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule QUERY_STRING "@contains DeCLARE"
"nolog,deny,status:501,ctl:auditEngine=Off"
Any help is appreciated :)

Thanks!

Thread View

Thread	Author	Date
[mod-security-users] Query String Wildcard Params	entracity inc <entracity@gm...>

Re: [mod-security-users] Query String Wildcard Params

From: Ryan Barnett <Ryan.Barnett@Br...> - 2008-08-26 21:09

Attachments: Message as HTML

________________________________

From: mod-security-users-bounces@...
[mailto:mod-security-users-bounces@...] On Behalf Of
entracity inc
Sent: Tuesday, August 26, 2008 4:50 PM
To: mod-security-users@...
Subject: [mod-security-users] Query String Wildcard Params

I'm having trouble using wildcard characters with request query
parameters; none of the following seem to accomplish what I'd like:

SecRule REQUEST_LINE "CHAR(4000);SET"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule REQUEST_LINE "DECLARE"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule REQUEST_LINE "DeCLARE"
"nolog,deny,status:501,ctl:auditEngine=Off"

SecRule REQUEST_LINE "S=CAST"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule REQUEST_LINE "@contains CHAR(4000);SET"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule REQUEST_LINE "@contains DECLARE"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule REQUEST_LINE "@contains DeCLARE"
"nolog,deny,status:501,ctl:auditEngine=Off"

SecRule QUERY_STRING "S=CAST"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule QUERY_STRING "CHAR(4000)"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule QUERY_STRING ";SET" "nolog,deny,status:501,ctl:auditEngine=Off"
SecRule QUERY_STRING "DECLARE"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule QUERY_STRING "DeCLARE"
"nolog,deny,status:501,ctl:auditEngine=Off"

SecRule QUERY_STRING "S=CAST"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule QUERY_STRING "@contains CHAR(4000)"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule QUERY_STRING "@contains ;SET"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule QUERY_STRING "@contains DECLARE"
"nolog,deny,status:501,ctl:auditEngine=Off"
SecRule QUERY_STRING "@contains DeCLARE"
"nolog,deny,status:501,ctl:auditEngine=Off"

Any help is appreciated :)

[Ryan Barnett] Two comments -

1) My guess as to why these are not matching is that these rules are
inheriting the default transformation function of lowercase.  What
version are you using?  You could add "t:none" to your action list.

2) You shouldn't need to add in these custom rules if you are using the
Core Rule Set as rule ID 959001 will catch it.  Are you not using the
Core Rules?