Re: [mod-security-users] problem with my regex and single line HTMLcomment in RESPONSE_BODY

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi Achim,

Pardon me if my rant is off-topic, but this seems to be a good place
for it for me now.

In the 60+ hours in the last 5 days that I have spent writing
ModSecurity rules for WebGoat vulnerabilities, more than half of that
time has been spent on getting the regex's working. I am so tired of
reading the debug file to see how my regex is being interpreted.

I feel like I am a slave to the PCRE engine instead of the opposite.

It's not rocket science:
1. I want an account number that has digits, characters and a hyphen,
but no spaces or special characters.
2. I want a password that has alphanumeric and special chars, but has
no spaces or '>' and '<'.
3. I want a user name with chars, ', -, and spaces but nothing else.

I could do this much easier and faster writing Java, C#, or C (which
is why ModSecurity is written in C; check the source for
urlDecodeUni).

I'm at the point where I think it's easier to write my own routines in
Lua and build my own library for reuse; disclaimer: I don't need
speed.

(/end of rant)

Stephen

On Thu, Jul 3, 2008 at 7:10 PM, Achim Hoffmann <ah...@se...> wrote:
> !! Yes, we do use PCRE underneath. We don't do anything with the regular
> !! expression... we just pass it to the PCRE engine, compiling with
>
> thanks Ivan for this information (which could be found in the docs,
> I believe:)
>
> !!  "PCRE_DOTALL
>
> this means that the s modifier in the regex is obsolete, somehow
> As the core-rules set uses (?i:) modifiers, someone -who initially
> understands that- might think to use (?s:) also.
> On the other hand: does (?m:) change it back to "dot does not match
> newline"? This is not documented in http://www.pcre.org/pcre.txt
> However, perlre man-page is accurate in that behaviour.
>
> !! | PCRE_DOLLAR_ENDONLY".
>
> hmm, this causes some questions how ModSecurity handles "strings",
> for example:
>  is the whole HTTP header passed to the rules, or each line
>  (means what is separated by \r\n) individually?
>  That would make some difference, I guess.
>  You need to know that when writing rules.
>
> Before going deeper into that (and some more examples), I'd
> suggest to point this out in the docs. I mean to describe how
> the different parts of the request/response is handled by ModSec.
>
> Achim
>
>