Re: [mod-security-users] Strange things with SecMarker
Brought to you by:
victorhora,
zimmerletw
From: Armin A. <a.a...@gm...> - 2011-11-29 12:41:05
|
Hi Breno, the behaviour is that a lot of rules are skipped...same as Nick reported. Armin 2011/11/29 Breno Silva <bre...@gm...>: > Hi Armin, > > What was the strange behaviour ? > > Note: In 2.7 ids must be numbers. > > Thanks > > Breno > > > On Tue, Nov 29, 2011 at 5:47 AM, Armin Abfalterer <a.a...@gm...> > wrote: >> >> Hi Nick, >> >> I encountered a related problem yesterday with >> "ctl:ruleRemoveById="... mod_security v. 2.6.2 shows strange behaviour >> with non-numeric IDs. >> >> Armin >> >> >> 2011/11/29 Nick Gearls <nic...@gm...>: >> > Some more info: >> > >> > 1. Adding ids to rules does not change the problem (and a lot of rules >> > are actually skipped): >> > >> > SecRule ... "phase:2,id:1,skipAfter:endOfTest" >> > SecRule ... "phase:2,id:2,...'" >> > SecMarker endOfTest >> > >> > 2. Using a numerical id instead of "endOfTest" solves the problem: >> > >> > SecRule ... "phase:2,id:1,skipAfter:3" >> > SecRule ... "phase:2,id:2,...'" >> > SecMarker 3 >> > >> > 3. The "string" syntax works correctly in phase:5 ?!? >> > >> > Any tip? >> > >> > Nick >> > >> > -------- Original Message -------- >> > Subject: Strange things with SecMarker >> > Date: Tue, 29 Nov 2011 12:14:08 +0100 >> > From: Nick Gearls <nic...@gm...> >> > Reply-To: nic...@gm... >> > To: mod...@li... >> > <mod...@li...> >> > >> > >> > >> > Hello, >> > >> > I see very strange things in the debug log with the following example (v >> > 2.5.13): >> > >> > SecRule ... "phase:2,skipAfter:endOfTest" >> > SecRule ... "phase:2,...'" >> > SecMarker endOfTest >> > >> > Debug log: >> > >> > Warning. Match of ... >> > Rule returned 1. >> > Skipping after rule 69c0280 id="endOfTest" -> mode SKIP_RULES. >> > Current rule is id="(null)" [chained 0] is trying to find the >> > SecMarker="endOfTest" [stater 0] >> > Current rule is id="950116" [chained 0] is trying to find the >> > SecMarker="endOfTest" [stater 0] >> > Current rule is id="950116" [chained 0] is trying to find the >> > SecMarker="endOfTest" [stater 0] >> > Current rule is id="(null)" [chained 0] is trying to find the >> > SecMarker="endOfTest" [stater 0] >> > Current rule is id="(null)" [chained 0] is trying to find the >> > SecMarker="endOfTest" [stater 0] >> > ... >> > >> > It seems that the engine is trying to find some order in the rules ids >> > and tries to match rules defined outside this scope. >> > Note that I did not define any rule id. Is this a problem? >> > Is it mandatory to define ids for all rules to be skipped? If so, do >> > they have to be sequential? >> > >> > Thanks, >> > >> > Nick >> > >> > >> > >> > >> > ------------------------------------------------------------------------------ >> > All the data continuously generated in your IT infrastructure >> > contains a definitive record of customers, application performance, >> > security threats, fraudulent activity, and more. Splunk takes this >> > data and makes sense of it. IT sense. And common sense. >> > http://p.sf.net/sfu/splunk-novd2d >> > _______________________________________________ >> > mod-security-users mailing list >> > mod...@li... >> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > http://www.modsecurity.org/projects/commercial/rules/ >> > http://www.modsecurity.org/projects/commercial/support/ >> >> >> ------------------------------------------------------------------------------ >> All the data continuously generated in your IT infrastructure >> contains a definitive record of customers, application performance, >> security threats, fraudulent activity, and more. Splunk takes this >> data and makes sense of it. IT sense. And common sense. >> http://p.sf.net/sfu/splunk-novd2d >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > |