Re: [mod-security-users] Attempting to capture b64encoded env value, and output the decoded result
Brought to you by:
victorhora,
zimmerletw
From: William S. <wsa...@gm...> - 2013-02-28 18:29:52
|
Hey Bri, long time no chat, Thank you very much! I'm afk, but I certainly see my folly in the rule. I knew I could count on this group for an answer. W Sent from my iPhooey On Feb 27, 2013, at 8:54 PM, Brian Rectanus <bre...@gm...> wrote: > On Wed, Feb 27, 2013 at 4:56 PM, William Salusky <wsa...@gm...> wrote: >> My ModSec kung-fu has grown weak, and I am struggling with what feels like a >> simple capture and setenv recipe, but I can't figure out how to make it >> work. >> >> I would like to take an environment variable which contains a base64 encoded >> username, apply urldecode and base64 decode transforms, capture that decoded >> value and assign it to yet another environment variable so that I can log >> that final value in the access log. >> >> SecRule ENV:DERPUSER "^$" >> "msg:'DERP-%{REMOTE_ADDR}',id:'999999',pass,nolog,noauditlog,t:urlDecode,t:base64Decode,capture,phase:2,setenv:THEREALUSERNAME=%{TX:1},severity:2" >> >> Anyone able to help me fix this? >> >> Thanks, >> >> W > > Hi William, > > How have you been? > > I think you are just missing the capturing part of regex (yours just > matches the empty string). And I think you want the dot (vs colon) > syntax in the action. You could also drop the capturing parens in the > regex and use the full match in %{TX.0}, which may be slightly more > efficient. > > SecRule ENV:DERPUSER "^(.*)$" > "msg:'DERP-%{REMOTE_ADDR}',id:'999999',pass,nolog,noauditlog,t:urlDecode,t:base64Decode,capture,phase:2,setenv:THEREALUSERNAME=%{TX.1},severity:2" > > Cheers! > -B |