Re: [mod-security-users] How do I use sub-expression matches withReferer Request Header ??

[Brian R. <Bri...@br...>]

ph...@me... wrote:
> Hi all,
>  
> I've recently installed ModSec 2.1.4 and am having trouble creating the
> following rule successfully.. (probably just syntactic semantics)..
>  
> I have a Regex operating on ARGS for domain matches. This results in an
> expression match (ie TX:0) which I want to check against the referer
> header ie:
>  
> SecRule REQUEST_HEADERS:Referer !TX:0 nolog,chain
>  
> The objective is to exit the chain if a domain passed as an arg is found
> in the referer header, and if not, then continue with next rule in chain.
>  
> The problem is, this doesn't work !
>  
> I've confirmed that TX:0 and the referer header reference the expected
> data (Debug Logs & experimentation), so I can only guess it's
> syntactics. I can't find any documented examples where sub-expressions
> (ie TX:x) are used in this way.
>  
> Any Ideas ??
>  
> Thanks in advance.
>  
> Phill Gillespie 
> 


So, what you want is to check if TX.0 is equal to (or perhaps contained
in) REQUEST_HEADERS:Referer?

Unfortunately that is not really possible in ModSecurity 2.1.  This is
because a regex is the only form of string matching and it is compiled
at config time (thus you cannot interpolate variables at runtime).

However, you can do this quite easily in ModSecurity 2.5:

SecRule REQUEST_HEADERS:Referer \
  "!@contains %{ARGS.domain}" "deny,status:403,log,auditlog"

Note, though that you will most likely want something more complex as
this would be prone to false positives (eg referer was foo.fr.com and
domain was foo.fr).  I suggest you match the ARGS doing a capture into
TX, then the same with the referer and then use @endsWith to match both
the TX vars.  Doing this, you can also transform the ARGS and referer
via lowercase and have a better match.

-B

-- 
Brian Rectanus
Breach Security