Re: [mod-security-users] POST value to allow but limit number of caracters

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Thu, Sep 12, 2013 at 3:12 PM, David R <re...@li...> wrote:

>
>
> Below are the logs from the server...
> Do you have any idea ?
>

Hi David,

Where did you place the SecRuleUpdateTargetByTag directives? They need to
be set after the initial rules are included, e.g. in the 48 local
exceptions file. Regarding the length rule, I forgot to invert the regex.
The correct syntax is:

SecRule ARGS:password "!^.{8,20}$" "phase:2,id:1,t:none,deny,msg:'Password
value does not meet predefined length criteria'"

--
 - Josh

> Kind regards,
>
> [Thu Sep 12 11:53:57 2013] [error] [client 195.70.13.237] ModSecurity:
> [file
>
> "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_a
> ttacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection
> Attack: SQL Tautology Detected."] [data "Matched Data: x>djdskjfd0L* found
> within ARGS:password: x>djdskjfd0L*"] [severity "CRITICAL"] [ver
> "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [tag
> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
> "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] Warning.
> Pattern match "(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\
> (\\\\)]*?)([\\\\d\\\\w]++)
> ([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)(?:(?:=|
> <=>|r?like|sounds\\\\s+like|regexp)
> ([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)\\\\2|
> (?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\ ..." at ARGS:password.
> [hostname "OBFUSCATED"] [uri "/login.pl"] [unique_id
> "UjGPNX8AAAEAABjrI48AAAAD"]
> [Thu Sep 12 11:53:57 2013] [error] [client XXXXXXXXXXX] ModSecurity:  [file
> "/etc/httpd/conf.d/obfuscated.conf"] [line "113"] [id "1"] [msg "Password
> value does not meet predefined length criteria"] Access denied with code
> 403
> (phase 2). Pattern match "^.{8,20}$" at ARGS:password. [hostname
> "obfuscated"] [uri "/login.pl"] [unique_id "UjGPNX8AAAEAABjrI48AAAAD"]
> [Thu Sep 12 11:53:57 2013] [error] [client XXXXXXXX] ModSecurity:  [file
>
> "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.con
> f"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound
> Score: 5, SQLi=5, XSS=): SQL Injection Attack: SQL Tautology Detected."]
> Warning. Operator LT matched 15 at TX:inbound_anomaly_score. [hostname
> "obfuscated"] [uri "/login.pl"] [unique_id "UjGPNX8AAAEAABjrI48AAAAD"]
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. Consolidate legacy IT systems to a single system of record for IT
> 2. Standardize and globalize service processes across IT
> 3. Implement zero-touch automation to replace manual, redundant tasks
> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>