Re: [mod-security-users] Fwd: 2.7.0: regression in blocking non-numeric value
Brought to you by:
victorhora,
zimmerletw
From: Breno S. <bre...@gm...> - 2013-01-10 13:47:39
|
Reindl Harald, In 2.7.x we fixed an issue where in 2.6.x we are not preserving the collection's name in MATCHED_* variables. It is in the CHANGES file at some 2.7.0-rcX release that i don't remember now :)... so this is the reason you need to change streq -> contains operator. So it is also a good idea read the CHANGES file, specially if you are moving to a different branch like 2.6.x -> 2.7.x where the major changes happens. Also i always release some -rc versions between branch changes for people start testing the new features and changes, give feedbacks etc. Also understand and plan the update. We wait months and months to release 2.7.0 and we mentioned the ID's requirement a long time ago for people have time to adjust everything. As Ryan mentioned is expected that some people would take a initial effort to update everything, but you need to do that just one time. After just define a process that your custom rules must have an ID. Thanks Breno On Thu, Jan 10, 2013 at 10:37 AM, Reindl Harald <h.r...@th...>wrote: > thanks > > with this change it works and blocks any non-numeric > or uncommon long value for the listet vars as before > > Am 10.01.2013 13:28, schrieb Breno Silva: > > Reindl Harald, > > * > > * > > Could you confirm if the rule is working with @contains ? > > > > Thanks > > > > On Thu, Jan 10, 2013 at 10:21 AM, Ryan Barnett <RBa...@tr...<mailto: > RBa...@tr...>> wrote: > > > > > > > > On Jan 10, 2013, at 5:40 AM, "Reindl Harald" <h.r...@th...<mailto: > h.r...@th...>> wrote: > > > > > mod_security 2.7.1 has the same problem > > > as i also confirmed before the release > > > > > > all in all 2.7.x makes me VERY unhappy > > > > > > why the hell does every rule need a id and why the > > > hell has it to be UNIQUE - > > > > Reindl - ModSecurity needs to have unique rule IDs to properly > handle all of the rule control directives/ctl > > actions such as SecRuleRemovebyId, SecRuleUpdateActionById, etc... > These are are all extremely useful features > > that require unique ID values so ModSecurity knows where in memory > to make adjustments. Before we enforced the > > rule IDs, we were running into abnormal processing and debug log > output if rules were missing IDs or with > > duplicates. > > > > I understand that it can be a pain to retroactively add them but it > is necessary. > > > > Thanks > > Ryan > > > > > > > thank you for killing > > > a lot of handmade rules which had VERY good reasons > > > to have the same ID because they was supposed to > > > be disabled for specific locations and new rules > > > which was supposed to be also disabled got the > > > same to not need creep around in each and every > > > vhost-configuration > > > > > > > > > -------- Original-Nachricht -------- > > > Betreff: Re: [mod-security-users] 2.7.0: regression in blocking > non-numeric value > > > Datum: Tue, 30 Oct 2012 17:21:50 +0100 > > > Von: Reindl Harald <h.r...@th... <mailto: > h.r...@th...>> > > > Organisation: the lounge interactive design > > > An: Breno Silva <bre...@gm... <mailto: > bre...@gm...>> > > > Kopie (CC): Mailing-List mod_security < > mod...@li... > > <mailto:mod...@li...>> > > > > > > hi > > > > > > yes, please give me a realier test > > > in production i stay with 2.6 until 2.7.2/3 > > > > > > so this is only a test-vm where i added a lot of rule-id's > > > and cleaned up duplicate-id's which is not funny because > > > the duplicates were intented to make RemoveById simpler > > > > > > Am 30.10.2012 17:10, schrieb Breno Silva: > > >> Hello Reindl, > > >> > > >> We had a mistake in the code during the integration with the new > ports and the "block" action was disabled > > by mistake. > > >> I will be releaseing 2.7.1 this week and set it back. > > >> > > >> I you want i can send you a tarball of 2.7.1 earlier to test and > check it this is the issue in your case. > > >> > > >> Thanks > > >> > > >> On Tue, Oct 30, 2012 at 10:59 AM, Reindl Harald < > h.r...@th... <mailto:h.r...@th...> > > <mailto:h.r...@th... <mailto:h.r...@th...>>> > wrote: > > >> > > >> why does the following rules no longer work? > > >> > > >> goal is/was to block any request with the listed parameters > > >> which contains non-numeric chars or numeric values with > > >> more than 7 characters........... > > >> __________________________________________ > > >> > > >> [root@testserver:/etc/httpd/modsecurity.d]$ cat > modsecurity_99_protected_vars.conf > > >> SecDefaultAction "log,auditlog,deny,status:400,phase:1" > > >> > > >> SecRule ARGS "!^\d{1,7}$" > "id:'83',chain,phase:1,capture,logdata:'%{matched_var}',block,msg:'out of > range'" > > >> SecRule MATCHED_VARS_NAMES "@pmFromFile > modsecurity_99_protected_vars.data" "chain,capture" > > >> SecRule MATCHED_VAR "@streq %{tx.0}" > > >> > > >> SecRule ARGS "!^\d{1,7}$" > "id:'84',chain,phase:2,capture,logdata:'%{matched_var}',block,msg:'out of > range'" > > >> SecRule MATCHED_VARS_NAMES "@pmFromFile > modsecurity_99_protected_vars.data" "chain,capture" > > >> SecRule MATCHED_VAR "@streq %{tx.0}" > > >> __________________________________________ > > >> > > >> [root@testserver:/etc/httpd/modsecurity.d]$ cat > modsecurity_99_protected_vars.data > > >> blog_comment_refid > > >> blog_id > > >> blog_showpage > > >> cfg_id > > >> cms_remember_login > > >> dbid > > >> detail_id > > >> ds_id > > >> ext_group > > >> ext_id > > >> fo_board_id > > >> gh_id > > >> gid > > >> gi_id > > >> gi_sid > > >> gs_hid > > >> gs_id > > >> gs_lightbox > > >> gs_rnd_hr_enable > > >> gs_rnd_tn_enable > > >> gs_show_title > > >> gs_tn_lupe > > >> gs_zoom > > >> hid > > >> item_id > > >> k2sid > > >> kid > > >> ksid > > >> lock_id > > >> lock_key > > >> od_id > > >> pal_id > > >> pc_entry_group_id > > >> pc_entry_id > > >> pc_group_id > > >> pers_id > > >> portal_gruppe > > >> portal_id > > >> portal_kategorie > > >> ps_id > > >> pvc_id > > >> pvi_id > > >> s2id > > >> s2sid > > >> shid > > >> show_item > > >> show_thread > > >> sid > > >> vgid > > >> vugid > > >> vuid > > >> vvid > > >> vvuid > > >> yc_aktiv > > >> yc_id > > >> yc_page > > >> yi_cid > > >> yi_id > > >> yi_page > > >> yk_aktiv > > >> yk_id > > >> yk_item > > > > > > <modsecurity_99_protected_vars.conf> > > > <modsecurity_99_protected_vars.data> > > -- > > Reindl Harald > the lounge interactive design GmbH > A-1060 Vienna, Hofmühlgasse 17 > CTO / CISO / Software-Development > p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 > icq: 154546673, http://www.thelounge.net/ > > http://www.thelounge.net/signature.asc.what.htm > > > > ------------------------------------------------------------------------------ > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > MVPs and experts. ON SALE this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122712 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |