Sorry, I read a directive example I think your policies were right .

I have seen how it uses tags on that directive at the same link:


SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bmail\b" \
     "phase:2,rev:'2.1.1',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%
{tx.0}"

SecRuleUpdateTargetByTag "WASCTC/WASC-31" !ARGS:email
If you take a look at SecRuleUpdateTargetByTag is using tag tag:'WASCTC/WASC-31' instead of tag:'WEB_ATTACK/COMMAND_INJECTION' and uses simple quotation and keeps rule format as you wrote at the beginning:
SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" !ARGS_NAMES:/property/

Try it with
SecRuleUpdateTargetByTag "WASCTC/WASC-31" !ARGS_NAMES:\/property\/

The backslash character is to scape / character.

Kind regards


2014-01-28 David R <rewt@linux-elite.org>
rewt rewt <rewt <at> linux-elite.org> writes:

>
> Dear All,I have to urgently secure a web application.
> Unfortunately it is not working as expected :(
>
> My problems are:
> - ARGS variable names change the only remaining part is "property" so i
wanted to write something like .*property.* ...
>
> - When i write a chained rule it works, but it whitelist the full URL
instead of the ARGS only 
>
> (for information this ARG variable contains an SSL certificate which is
considered as SQLi.
>
>
> I have tried tons of possibilites:
>
> This one fully whitelist the URL and does not consider the ARGS value
> (i have tried it in different orders ARGS_NAME before, then REQUEST_URI ->
not whitelisting at all)
>
>
>
> SecRule REQUEST_URI "^/dir/mycgi.cgi.*"
"phase:1,t:none,nolog,id:25,chain,pass,ctl:ruleEngine=off"
> SecRule ARGS_NAMES .*property.* "t:none"
>
>
>
>
>
> This one does the same:
>
> SecRule REQUEST_URI "^/dir/mycgi.cgi"
"id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off"
>
> # i tried to match BEGIN and END of certificate
>
> SecRule ARGS:property_value_.* !BEGIN.*END.*$
"id:26,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'"
> SecRule ARGS:old_property_value_.* !BEGIN.*END.*$
"id:27,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'"
>
>
>
> # I also tried:
> SecRule REQUEST_URI "^/dir/mycgi.cgi"
"id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off;ARGS:.*property.*
>
>
> Syntax error on line 95 of /etc/httpd/conf.d/reverse-mycgi.conf:
>
> Error parsing actions: Invalid setting for ctl name ruleEngine:
off;ARGS:.*property.*
>
>
> (ARGS_NAMES does the same)
>
> Some help would be very much appreciated as i don't know what to do now :(
>
> I don't even find a way to fully whitelist this ARGS (with regular
expression) inside my virtualhost.
>
> Kind regards,
>
>
>
>
>
> --------------------------------------------------------------------------
----
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
> http://pubads.g.doubleclick.net/gampad/clk?
id=119420431&iu=/4140/ostg.clktrk
>
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
Same problem with double quotes ""

Restricted SQL Character Anomaly Detection Alert - Total # of special
characters exceeded"] [data "Matched Data: - found within
ARGS:property_value_74_inst0_882538:
...



------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/