Re: [mod-security-users] Fwd: 2.7.0: regression in blocking non-numeric value
Brought to you by:
victorhora,
zimmerletw
From: Breno S. <bre...@gm...> - 2013-01-10 16:08:21
|
Ok. you can continue using @streq. You just need to change and add the "ARGS:" SecDefaultAction "phase:2,deny,log" SecRule ARGS "!^\d{1,7}$" "id:'84',chain,phase:2,capture,logdata:'%{matched_var}',block,msg:'out of range'" SecRule MATCHED_VARS_NAMES "@pmFromFile modsecurity_99_protected_vars.data" "chain,capture" SecRule MATCHED_VAR "@streq *ARGS*:%{tx.0}" In 2.7.0 it was not working because we accidently removed the "block" action during the mergin of nginx and IIS. On Thu, Jan 10, 2013 at 1:31 PM, Reindl Harald <h.r...@th...>wrote: > that is very interesting becaus ethe response of Breno Silva > "so this is the reason you need to change streq -> contains > operator" after i mentioned 3 months ago that this rule no > longer works, mentioned after received a pre-2.7.1 that it > still does not worked and never heard anything about this > until today i decided to push the topic again because it > seems that there will no longer be 2.6.x updates > > 2.7.0: nothing is blocked > 2.7.1: nothing is blockend > 2.6.x: works fine > > > So it is also a good idea read the CHANGES file > > there is no single word about this > > should it work? > should it not work? > will it ever work again? > > -------- Original-Nachricht -------- > Betreff: Re: [mod-security-users] Fwd: 2.7.0: regression in > blocking non-numeric value > Datum: Thu, 10 Jan 2013 11:47:30 -0200 > Von: Breno Silva <bre...@gm...> > An: Reindl Harald <h.r...@th...> > Kopie (CC): Mailing-List mod_security < > mod...@li...> > > Reindl Harald, > > In 2.7.x we fixed an issue where in 2.6.x we are not preserving the > collection's name in MATCHED_* variables. It is > in the CHANGES file at some 2.7.0-rcX release that i don't remember now > :)... so this is the reason you need to > change streq -> contains operator. > > So it is also a good idea read the CHANGES file, specially if you are > moving to a different branch like 2.6.x -> > 2.7.x where the major changes happens. > > Am 10.01.2013 16:17, schrieb Ryan Barnett: > > It is working fine for me using - ModSecurity for Apache/2.7.1 > > > > Rules - > > > > SecRule ARGS "!^\d{1,7}$" > > "id:'84',chain,phase:2,capture,logdata:'%{matched_var}',block,msg:'out of > > range'" > > SecRule MATCHED_VARS_NAMES "@pmFromFile > > modsecurity_99_protected_vars.data" "chain,capture" > > SecRule MATCHED_VAR "@streq %{tx.0}" > > > > modsecurity_99_protected_vars.data has - > > ARGS:hid > > > > Sent this request with curl - > > $ curl "http://localhost/cgi-bin/printenv?hid=12345678" > > > > Generated this alert - > > [Thu Jan 10 10:07:56 2013] [error] [client 127.0.0.1] ModSecurity: > > Warning. String match "ARGS:hid" at MATCHED_VAR. [file > > "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] > > [line "1"] [id "84"] [msg "out of range"] [data "ARGS:hid"] [hostname > > "MacBook-Pro-2.local"] [uri "/cgi-bin/printenv"] [unique_id > > "UO7ZTMCoAW4AAQV9DF8AAAAA"] > > > > This is the debug log processing - > > > > Recipe: Invoking rule 1009c3118; [file > > "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] > > [line "1"] [id "84"]. > > Rule 1009c3118: SecRule "ARGS" "!@rx ^\\d{1,7}$" > > "phase:2,log,id:84,chain,capture,logdata:%{matched_var},block,msg:'out of > > range'" > > Transformation completed in 0 usec. > > Executing operator "!rx" with param "^\\d{1,7}$" against ARGS:hid. > > Target value: "12345678" > > Operator completed in 4 usec. > > Rule returned 1. > > Match -> mode NEXT_RULE. > > Recipe: Invoking rule 1009c3b60; [file > > "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] > > [line "2"]. > > Rule 1009c3b60: SecRule "MATCHED_VARS_NAMES" "@pmFromFile > > modsecurity_99_protected_vars.data" "chain,capture" > > Set variable "ARGS:hid" size 8 to collection. > > Transformation completed in 1 usec. > > Executing operator "pmFromFile" with param > > "modsecurity_99_protected_vars.data" against ARGS:hid. > > Target value: "ARGS:hid" > > Added phrase match to TX.0: ARGS:hid > > Operator completed in 20 usec. > > Rule returned 1. > > Match -> mode NEXT_RULE. > > Recipe: Invoking rule 1009cd4c0; [file > > "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] > > [line "3"]. > > Rule 1009cd4c0: SecRule "MATCHED_VAR" "@streq %{tx.0}" > > Transformation completed in 1 usec. > > Executing operator "streq" with param "%{tx.0}" against MATCHED_VAR. > > Target value: "ARGS:hid" > > Resolved macro %{tx.0} to: ARGS:hid > > Operator completed in 19 usec. > > Resolved macro %{matched_var} to: ARGS:hid > > Warning. String match "ARGS:hid" at MATCHED_VAR. [file > > "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] > > [line "1"] [id "84"] [msg "out of range"] [data "ARGS:hid"] > > > > Need to track down why yours are not working > > > > ------------------------------------------------------------------------------ > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > MVPs and experts. ON SALE this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122712 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |