It doesn't seem to be doing anything though.. i still see the body being recorded =(


On Wed, Oct 9, 2013 at 2:18 PM, Steve Stonebraker <steve.stonebraker@gmail.com> wrote:
This seems to work (from a Syntax perspective):

SecRule REQUEST_BODY ^\{(?:.*)"password":"(.*?)\"\}$ "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C"


On Wed, Oct 9, 2013 at 2:10 PM, Steve Stonebraker <steve.stonebraker@gmail.com> wrote:
Thanks!

I came up with this rule:
SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$" "phase:2,id:'1001',nolog,pass,ctl:auditLogParts=-C,msg:'User sent password'"

But am receiving this error:
Syntax error on line 14 of /opt/modsecurity/etc/rules-first.conf:
SecRule takes two or three arguments, rule target, operator and optional action list


On Wed, Oct 9, 2013 at 9:58 AM, Josh Amishav-Zlatin <jamuse@owasp.org> wrote:
On Wed, Oct 9, 2013 at 4:02 PM, Steve Stonebraker <steve.stonebraker@gmail.com> wrote:
Thanks I saw that and it looks great but I can't implement it on a prod environment.

Right now I'm toying with:
SecRule REQUEST_BODY "^\{(?:.*)"password":"(.*?)\"\}$"

But i'm not sure how to replace the matched value with the character *


Hi Steve,

I think the only current solution is to use the ctl action to remove logging the request body entirely if it holds sensitive data. Kind of an all or nothing approach until the patch makes its way into the stable branch.

--
 - Josh
 

On Wed, Oct 9, 2013 at 8:06 AM, Josh Amishav-Zlatin <jamuse@owasp.org> wrote:
On Wed, Oct 9, 2013 at 2:28 PM, Steve Stonebraker <steve.stonebraker@gmail.com> wrote:
I'll answer my own question.  The body has JSON which is not processed by sanitiseArg.


Hi Steve,

Not sure how stable this is yet, but take a look at: https://www.modsecurity.org/tracker/browse/MODSEC-253
Perhaps with the patch you could use santiseMatched.

--
 - Josh
 

On Tue, Oct 8, 2013 at 12:10 PM, Steve Stonebraker <steve.stonebraker@gmail.com> wrote:
I am unable to sanitize a password in the request body.

--2a688459-C-- {"username":"someuser","password":"somepassword"}

What i've tried:
SecAction "phase:2,id:131,nolog,pass,sanitiseArg:password"
SecAction "phase:5,id:131,nolog,pass,sanitiseArg:password"
SecRule ARGS_NAMES password nolog,pass,id:132,sanitiseMatched

Any suggestions?


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/