Re: [mod-security-users] Issues with "SecRuleUpdateTargetByTag" and Apache-Location

[Josh Amishav-Z. <ja...@ow...>]

On Wed, Oct 30, 2013 at 3:57 PM, Jan Phillip Greimann <jg...@so...>wrote:

> Hi Josh,
>
> I've got a second problem:
>
> SecRule REQUEST_FILENAME "^/../login$"
>
> "phase:1,id:1005,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION|XSS|LDAP_INJECTION)|PROTOCOL_VIOLATION/EVASION);ARGS:login[password]"
>
>
Hi Jan,

As a workaround perhaps tweak the regex to bypass the problematic
characters, e.g.:

SecRule REQUEST_FILENAME "^/../login$"
"phase:1,id:1005,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=OWASP_CRS.*WEB_ATTACK.*SQL_INJECTION.XSS.LDAP_INJECTION.*PROTOCOL_VIOLATION.*EVASION.*;ARGS:login[password]"

--
 - Josh

is one of my rules. In my logic it should work, but I get the following
> error:
>
> Syntax error on line 23 of
> /etc/modsecurity/modsecurity_crs_15_pre_custom.conf:
> Error parsing actions: ModSecurity: Invalid regular expression
> "OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION"
> Action 'configtest' failed.
> The Apache error log may have more information.
>   failed!
>
> Where is the problem, in my opinion it's right. :-/
>
>
>
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>