Re: [mod-security-users] Conditional targets appending weird behaviour
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Conditional targets appending weird behaviour
|
From: Breno S. <bre...@gm...> - 2012-07-19 16:44:38
|
Hello, Yes. This is how SecUpdateTargetById works, changing the rule structure that is created using a different memory pool that the one per-transaction. On Thu, Jul 19, 2012 at 11:21 AM, rm4dillo D <rm4...@gm...> wrote: > Hi, > > I've been trying to implement some exceptions using conditional targets > appending with the "ruleUpdateTargetById" action but after the first match, > the exception is applied to all the following requests, just like the > "SecRuleUpdateTargetById" directive. > > Example: > > > With this configuration: > > *SecRule REQUEST_FILENAME "@streq /not_vulnerable.cgi" > "t:none,nolog,pass,ctl:ruleUpdateTargetById=973331;!ARGS:id"* > > > As expected, *"GET /vulnerable.cgi?id=<script>..." *matches rule 973331 > and *"GET /not_vulnerable.cgi?id=<script>..." *does not match rule 973331 > but when we try this *"GET /vulnerable.cgi?id=<script>..." *again, the > request does not match rule 973331 because it's target list has changed. > > > I think that this happens because the "ruleUpdateTargetById" directly > modifies the current process' "msre_ruleset" structure while the > "ruleRemoveById" action which works correctly creates a "rule_exception" > structure for the current request only without modify the ruleset. > > P.S.: it's easier to reproduce this "bug?" by settings MaxClients to 1. > This should force Apache to have only one process. > > Thank you for your help. > > Rm4dillo > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |