Re: [mod-security-users] How do I use sub-expression matches withReferer Request Header ??
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2008-01-29 09:01:06
|
ph...@me... wrote: > Hi all, > > I've recently installed ModSec 2.1.4 and am having trouble creating the > following rule successfully.. (probably just syntactic semantics).. > > I have a Regex operating on ARGS for domain matches. This results in an > expression match (ie TX:0) which I want to check against the referer > header ie: > > SecRule REQUEST_HEADERS:Referer !TX:0 nolog,chain > > The objective is to exit the chain if a domain passed as an arg is found > in the referer header, and if not, then continue with next rule in chain. > > The problem is, this doesn't work ! > > I've confirmed that TX:0 and the referer header reference the expected > data (Debug Logs & experimentation), so I can only guess it's > syntactics. I can't find any documented examples where sub-expressions > (ie TX:x) are used in this way. > > Any Ideas ?? > > Thanks in advance. > > Phill Gillespie > So, what you want is to check if TX.0 is equal to (or perhaps contained in) REQUEST_HEADERS:Referer? Unfortunately that is not really possible in ModSecurity 2.1. This is because a regex is the only form of string matching and it is compiled at config time (thus you cannot interpolate variables at runtime). However, you can do this quite easily in ModSecurity 2.5: SecRule REQUEST_HEADERS:Referer \ "!@contains %{ARGS.domain}" "deny,status:403,log,auditlog" Note, though that you will most likely want something more complex as this would be prone to false positives (eg referer was foo.fr.com and domain was foo.fr). I suggest you match the ARGS doing a capture into TX, then the same with the referer and then use @endsWith to match both the TX vars. Doing this, you can also transform the ARGS and referer via lowercase and have a better match. -B -- Brian Rectanus Breach Security |