So I guess mod_security should be able to detect a feed line character which has been included on a request with transformation function? 

Thanks for your reference.

Kind regards,


2014-03-12 9:36 GMT+01:00 Josh Amishav-Zlatin <josh@wafsec.com>:
On Tue, Mar 11, 2014 at 04:46:11PM +0100, Jose Pablo Valcárcel Lázaro wrote:
> patterns. Some suricata rules has hexadecimal content in field.
>
> Some of them I'm able to ascii parsing but with some hexadecimal values are
> ascii non-printable characters. My question is, should I care or should I
> ignore those hexadecimals non printable values?

Hi Jose,

The ModSecurity way would be to use transformations:

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-Transformation_functions

--
 - Josh

>
> A list of conversions could it be:
>
> Content:                                                              After
> conversion:
> "|2e 2e 2f|"                                                           ../
> "|2e/2e/2f|"                                                           ../
> "|2e\2e\2f|"                                                           ../
> "|2e|2e|2f|"                                                            ../
> "|2e|2e|2f|root"
> ../root
> "|2e|2e|2f|root.php"
> ../root.php
> "|2e|2e|root|2f|"
> ..root/
> "|2e 2e 2f|"                                                             ../
> "|2e 2e 2fe|"                                                           ../e
> "|2e|2f|sogou"
> ./sogou
> "2e2f sogou"
>  ./sogou
> "|2E|2F|sogou"                                                       ./sogou
> "|00 00 00 04|ftp|3a|//"                                              ftp://
> "2A02"                                                                    *
> "|2A02|"                                                                   *
> "/etc/prueba/inetd\.conf"
>  /etc/prueba/inetd.conf
> "|esto es una prueba|"                                               esto
> es una prueba
> "http|3a|2f|2f"
> http://
> "3a|2f|2f|http"
> ://http
> "http 3a 2f 2f"
> http://
> "esto es una prueba"                                                  esto
> es una prueba
> "http 3a 2f 2f"
> http://
> "http|3a|2f|2f"
>  http://
> "Burp proxy error|3A 20|"                                             Burp
> proxy error:
> "%72%65%70%6c%61%63%65%28"                          replace(
> "Burp proxy error|3A 20|"                                             Burp
> proxy error:
>
> My problem is with some hex patterns wich has values between 00 and 1F.
> These values are ascii no printable, so if I try to convert I will get
> strange outputs and if I ignore, I will handle content field as string and
> it will happen the same for extended ascii codes,. I have seen suricata
> content fields as follows: "/%E0%B4%8C%E1%82%AB"
>
> If I decide to parse as a hexadecimal values to ascii I will get this
> response: à´á«
>
> Should I convert non printable and extended ascii characters from
> hexadecimal?
>
> I have seen too several directives which match with mod_security rules so I
> was thinking to read each content field with http directive and create
> mod_security rule and chain with following directives until I finally ends
> to read that suricata rule.
>
> I have tried to develop a mod_security rule with random high id and when I
> restart apache then I got a id duplicate error. Do you know why is it
> happening this?
>
> Kind regards

> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech

> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/


--
Josh Amishav-Zlatin
CTO | Wafsec

The WAF is free, your time isn't

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/