Still the same - im using crs_2.2.2 as directed by Ryan

Ever since i recompiled against apache 2.2.19 ive had major problems with segmentation faults and now rules are behaving differently after compiling against apr v 1.3.12 and pcre v 8.x

I cant see what the issue is - im using the same files from crs_2.2.1 but im getting PCRE exceptions on rule 950901

Im on holiday tomo and friday and have a meeting today to update on the status of this

Is there anything you can suggest here - does secruleupdatetarget etc work when using anomaly mode ??

On 31/08/11 13:55, Breno Silva wrote:
Kwenu,

Try this  ctl:ruleUpdateTargetById=950901;!REQUEST_COOKIES:s_pers;!REQUEST_COOKIES:s_pers

Breno

On Wed, Aug 31, 2011 at 5:16 AM, kwenu <uzoka_a@yahoo.co.uk> wrote:
Since compiling apache and modsecurity to use external PCRE library version 1.3.12

I have suffered from PCRE limit detections on rule  950901

This i disabled putting the following "SecRuleRemoveById 950901" in modsecurity_crs_60_customrules.conf

Now the following rules are in file modsecurity_crs_15_customrules.conf

SecRule REQUEST_HEADERS:Host "!@rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=950901;!REQUEST_COOKIES:s_pers"

SecRule REQUEST_HEADERS:Host "!@rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981172;!REQUEST_COOKIES:s_sess"

SecRule REQUEST_HEADERS:Host "!@rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981172;!REQUEST_COOKIES:s_pers"

SecRule REQUEST_HEADERS:Host "!@rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981211;!REQUEST_COOKIES:s_sess"
     
SecRule REQUEST_HEADERS:Host "!@rx (^$)" \
   "phase:2,t:none,nolog,pass,ctl:ruleUpdateTargetById=981211;!REQUEST_COOKIES:s_pers"


Are appending targets as below taken from modsec_debug.log

Rule a93fb08: SecRule "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_sess|!REQUEST_COOKIES:s_pers |

Rather than append once and once only its behaving recursively - what im I doing wrong ????


On 30/08/11 15:53, Ryan Barnett wrote:
What are you trying to do here?  Create some custom rules that restrict
the size of the payload of the parameter named "name"?

-Ryan

On 8/30/11 10:33 AM, "Usman Waheed" <usmanw@opera.com> wrote:

Hi,

I am testing out the default rules that come with mod_security in my test

setup and have the following below in my config files. For some reason
this rule does not trigger when i set the size of a text input field to
100+ characters.

For example in my test form (method: POST) i have:
<input type=text  
name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
cccccccc"></td>

Appreciate if i could get some pointers.

I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck.

Thanks,
Usman

## Limit argument name length (modsecurity_crs_10_config.conf)
SecAction  
"phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100"

## modsecurity_crs_23_request_limits.conf
SecRule &TX:ARG_NAME_LENGTH "@eq 1"
"chain,phase:2,t:none,block,msg:'Argument name too
long',id:'960209',severity:'4',rev:'2.2.1'"
        SecRule &ARGS_NAMES "@gt %{tx.arg_name_length}"
"t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx
.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},
setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"








--------------------------------------------------------------------------
----
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php