Re: [mod-security-users] Attempting to capture b64encoded env value, and output the decoded result
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Attempting to capture b64encoded env value, and output the decoded result via access log. I fail.
|
From: William S. <wsa...@gm...> - 2013-02-28 18:29:52
|
Hey Bri, long time no chat,
Thank you very much! I'm afk, but I certainly see my folly in the rule. I knew I could count on this group for an answer.
W
Sent from my iPhooey
On Feb 27, 2013, at 8:54 PM, Brian Rectanus <bre...@gm...> wrote:
> On Wed, Feb 27, 2013 at 4:56 PM, William Salusky <wsa...@gm...> wrote:
>> My ModSec kung-fu has grown weak, and I am struggling with what feels like a
>> simple capture and setenv recipe, but I can't figure out how to make it
>> work.
>>
>> I would like to take an environment variable which contains a base64 encoded
>> username, apply urldecode and base64 decode transforms, capture that decoded
>> value and assign it to yet another environment variable so that I can log
>> that final value in the access log.
>>
>> SecRule ENV:DERPUSER "^$"
>> "msg:'DERP-%{REMOTE_ADDR}',id:'999999',pass,nolog,noauditlog,t:urlDecode,t:base64Decode,capture,phase:2,setenv:THEREALUSERNAME=%{TX:1},severity:2"
>>
>> Anyone able to help me fix this?
>>
>> Thanks,
>>
>> W
>
> Hi William,
>
> How have you been?
>
> I think you are just missing the capturing part of regex (yours just
> matches the empty string). And I think you want the dot (vs colon)
> syntax in the action. You could also drop the capturing parens in the
> regex and use the full match in %{TX.0}, which may be slightly more
> efficient.
>
> SecRule ENV:DERPUSER "^(.*)$"
> "msg:'DERP-%{REMOTE_ADDR}',id:'999999',pass,nolog,noauditlog,t:urlDecode,t:base64Decode,capture,phase:2,setenv:THEREALUSERNAME=%{TX.1},severity:2"
>
> Cheers!
> -B
|