Those directives can work on any TAG within a rule.  Also, when using a regular expression to specify an ARGS name, you do not escape the /.  !ARGS:/property/  means do NOT inspect any parameter value shows name contains "property" in it.

Ryan Barnett

Lead Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com


From: Jose Pablo Valcárcel Lázaro <pablo.valcarcel1980@gmail.com>
Reply-To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Date: Tuesday, January 28, 2014 9:26 AM
To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Subject: Re: [mod-security-users] Whitelisting nightmare...

Sorry, I read a directive example I think your policies were right .

I have seen how it uses tags on that directive at the same link:

SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bmail\b" \
     "phase:2,rev:'2.1.1',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%
{tx.0}"

SecRuleUpdateTargetByTag "WASCTC/WASC-31" !ARGS:email
If you take a look at SecRuleUpdateTargetByTag is using tag tag:'WASCTC/WASC-31' instead of tag:'WEB_ATTACK/COMMAND_INJECTION' and uses simple quotation and keeps rule format as you wrote at the beginning:
SecRuleUpdateTargetByTag "WEB_ATTACK/SQL_INJECTION" !ARGS_NAMES:/property/

Try it with
SecRuleUpdateTargetByTag "WASCTC/WASC-31" !ARGS_NAMES:\/property\/

The backslash character is to scape / character.

Kind regards


2014-01-28 David R <rewt@linux-elite.org>
rewt rewt <rewt <at> linux-elite.org> writes:

>
> Dear All,I have to urgently secure a web application.
> Unfortunately it is not working as expected :(
>
> My problems are:
> - ARGS variable names change the only remaining part is "property" so i
wanted to write something like .*property.* ...
>
> - When i write a chained rule it works, but it whitelist the full URL
instead of the ARGS only 
>
> (for information this ARG variable contains an SSL certificate which is
considered as SQLi.
>
>
> I have tried tons of possibilites:
>
> This one fully whitelist the URL and does not consider the ARGS value
> (i have tried it in different orders ARGS_NAME before, then REQUEST_URI ->
not whitelisting at all)
>
>
>
> SecRule REQUEST_URI "^/dir/mycgi.cgi.*"
"phase:1,t:none,nolog,id:25,chain,pass,ctl:ruleEngine=off"
> SecRule ARGS_NAMES .*property.* "t:none"
>
>
>
>
>
> This one does the same:
>
> SecRule REQUEST_URI "^/dir/mycgi.cgi"
"id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off"
>
> # i tried to match BEGIN and END of certificate
>
> SecRule ARGS:property_value_.* !BEGIN.*END.*$
"id:26,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'"
> SecRule ARGS:old_property_value_.* !BEGIN.*END.*$
"id:27,phase:2,t:none,redirect:https://site/blocked.html,msg:'MyAPP issue'"
>
>
>
> # I also tried:
> SecRule REQUEST_URI "^/dir/mycgi.cgi"
"id:25,phase:1,t:none,pass,nolog,ctl:ruleEngine=off;ARGS:.*property.*
>
>
> Syntax error on line 95 of /etc/httpd/conf.d/reverse-mycgi.conf:
>
> Error parsing actions: Invalid setting for ctl name ruleEngine:
off;ARGS:.*property.*
>
>
> (ARGS_NAMES does the same)
>
> Some help would be very much appreciated as i don't know what to do now :(
>
> I don't even find a way to fully whitelist this ARGS (with regular
expression) inside my virtualhost.
>
> Kind regards,
>
>
>
>
>
> --------------------------------------------------------------------------
----
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
> http://pubads.g.doubleclick.net/gampad/clk?
id=119420431&iu=/4140/ostg.clktrk
>
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
Same problem with double quotes ""

Restricted SQL Character Anomaly Detection Alert - Total # of special
characters exceeded"] [data "Matched Data: - found within
ARGS:property_value_74_inst0_882538:
...



------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/




This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.