Re: [mod-security-users] ARGS:@pmFromFile
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] ARGS:@pmFromFile
|
From: Reindl H. <h.r...@th...> - 2012-01-25 11:30:23
|
Wonderful!
works exactly how i want
would be nice to see the submitted value, but not so important
phase 1 AND phase 2 because we have whitelisted some
security-auditor ip's since we would kill the scans
from nessus with "bad agents" and i like to proctect
some known vars per GET in each case, phase 2 is needed
to protect from POST
SecRule ARGS "!^\d{1,7}$" "chain,phase:1,id:'151',capture,logdata:'%{matched_var}',block,msg:'out of range'"
SecRule MATCHED_VARS_NAMES "@pmFromFile modsecurity_99_protected_vars.data"
SecRule ARGS "!^\d{1,7}$" "chain,phase:2,id:'152',capture,logdata:'%{matched_var}',block,msg:'out of range'"
SecRule MATCHED_VARS_NAMES "@pmFromFile modsecurity_99_protected_vars.data"
thank you very much!
Am 24.01.2012 14:47, schrieb Ryan Barnett:
> You could try something like this using MATCHED_VARS_NAMES-
>
> SecRule ARGS "!^\d{1,7}$"
> "chain,phase:2,id:'151',capture,logdata:'%{matched_var}',block,msg:'out of
> range'"
> SecRule MATCHED_VARS_NAMES "@pmFromFile
> modsecurity_99_protected_vars.data"
>
>
> The rule generically checks all ARGS payloads against your positive
> security regex. If they payload does not match, then the name of the
> parameter is checked against your list of protected var names. It worked
> for me. I sent this request with two params that violate your regex
> (blog_id includes a ' and cfg_id is too long) -
>
> $ curl
> "http://localhost/cgi-bin/printenv?blog_id=1234'&cfg_id=8764531232323545"
>
> The rule generated these two alerts -
>
> [Tue Jan 24 08:40:07 2012] [error] [client 127.0.0.1] ModSecurity:
> Warning. Matched phrase "blog_id" at MATCHED_VARS_NAMES:blog_id. [file
> "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"]
> [line "1"] [id "151"] [msg "out of range"] [data "blog_id"] [hostname
> "localhost"] [uri "/cgi-bin/printenv"] [unique_id
> "Tx60t8CoqAEAAMThIWkAAAAA"]
> [Tue Jan 24 08:40:07 2012] [error] [client 127.0.0.1] ModSecurity:
> Warning. Matched phrase "cfg_id" at MATCHED_VARS_NAMES:cfg_id. [file
> "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"]
> [line "1"] [id "151"] [msg "out of range"] [data "cfg_id"] [hostname
> "localhost"] [uri "/cgi-bin/printenv"] [unique_id
> "Tx60t8CoqAEAAMThIWkAAAAA"]
>
> The only piece of meta-data you are missing with these rules is the
> logdata info won't hold the param payload but rather the name of the
> parameter that violated the regex rule.
>
> -Ryan
>
> On 1/24/12 6:07 AM, "Reindl Harald" <h.r...@th...> wrote:
>
>> hi
>>
>> i would like to replace the two commented sample-rules below
>> where corently exists hundrtes of them that the arg-names which
>> must be numeric can be feeded from "modsecurity_99_protected_vars.data"
>> below but i have no idea how to do this :-(
>>
>> the var-list is growing all the time.......
>>
>> SecRule ARGS:"@pmFromFile modsecurity_99_protected_vars.data" !^\d{1,7}$
>> "phase:1,id:'150',capture,logdata:'%{matched_var}',block,msg:'out of
>> range'"
>> SecRule ARGS:"@pmFromFile modsecurity_99_protected_vars.data" !^\d{1,7}$
>> "phase:2,id:'151',capture,logdata:'%{matched_var}',block,msg:'out of
>> range'"
>>
>> #SecRule ARGS:hid !^\d{1,7}$
>> "phase:1,id:'150',capture,logdata:'%{matched_var}',block,msg:'out of
>> range'"
>> #SecRule ARGS:hid !^\d{1,7}$
>> "phase:2,id:'151',capture,logdata:'%{matched_var}',block,msg:'out of
>> range'"
>> _________________
>>
>> [root@rh:~/modsecurity.d]$ cat modsecurity_99_protected_vars.data
>> blog_comment_refid
>> blog_id
>> blog_showpage
>> cfg_id
>> cms_remember_login
>> dbid
>> detail_id
>> ds_id
>> ext_group
>> ext_id
>> filter_jahr
>> filter_monat
>> filter_tag
>> fo_board_id
>> gh_id
>> gid
>> gi_id
>> gi_sid
>> gs_hid
>> gs_id
>> gs_lightbox
>> gs_rnd_hr_enable
>> gs_rnd_tn_enable
>> gs_show_title
>> gs_tn_lupe
>> gs_zoom
>> hid
>> item_id
>> k2sid
>> kid
>> ksid
>> lock_id
>> lock_key
>> od_id
>> pal_id
>> pc_entry_group_id
>> pc_entry_id
>> pc_group_id
>> pers_id
>> portal_gruppe
>> portal_id
>> portal_kategorie
>> ps_id
>> s2id
>> s2sid
>> shid
>> show_item
>> show_thread
>> sid
>> vgid
>> vugid
>> vuid
>> vvid
>> vvuid
>> yc_aktiv
>> yc_id
>> yc_page
>> yi_cid
>> yi_id
>> yi_page
>> yk_aktiv
>> yk_id
>> yk_item
>>
>
>
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
>
--
Mit besten Grüßen, Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / software-development / cms-solutions
p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
icq: 154546673, http://www.thelounge.net/
http://www.thelounge.net/signature.asc.what.htm
|