[mod-security-users] Help w/ PCRE for ARGS and ARGS_NAME
Brought to you by:
victorhora,
zimmerletw
From: Neha C. <nc...@gm...> - 2015-03-26 03:20:31
|
Hello, I have roughly 50 SecRules that are working without issue. However, I have two specifically that should each match an ARGS and an ARGS_NAME variable, but I can't seem to match them correctly - I believe my regex is bad, or I'm not writing the rules correctly. In the first rule, I'm attempting to use PCRE so that apachectl -t will match OK. The whitespace in the raw 'ARGS_NAMES:data[Form Phone Number]' causes modsecurity to complain. The matching regex itself is "(data(\[.*\])+)". After loading, modsec still flags this request parameter (occuring in the Request Body) as violating ID 981173. Current rule: SecRule ARGS_NAMES:"/^data[Tests][Form\sPhone\sNumber]$/" "(data(\[.*\])+)*" "id:307,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=.* ;ARGS_NAMES:/^data[Tests][Form\sPhone\sNumber]$/" The alert: [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: ] found within ARGS_NAMES:data[Tests][Form Phone Number]: data[Tests][Form Phone Number]"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "x.x.com"] [uri "/accnt/metad"] [unique_id "VRCOTwobAq4AABfAuc0AAADg"] In other problematic rule, I want to whitelist all requests with the Request Body JSON variable set, in the format of '{data {"this":"that","foo":""}}. Modsecurity still flags this as a violation of ID 981173. In general, I want to be able to get a tighter match on this parameter, as opposed to a '*.' whitespace, but I'd at least like to start with an appropriate method of whitelisting I can build on. Here's the current rule: SecRule ARGS_NAMES:"/^{\"data\"*/" "(.**)" "id:308,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=. *;ARGS_NAMES:/^{\"data\"*/" The alert: [2015-03-23T22:09:01.63216 [Mon Mar 23 22:09:01.632127 2015] [:error] [pid 6592:tid 140471007414016] [client 66.206.85.131] ModSecurity: Warning. Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" at ARGS_NAMES:{"data":{"description":"Foo Bar","ids":["8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888"]}}. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: \x22 found within ARGS_NAMES:{\x22data\x22:{\x22description\x22:\x22Foo Bar\x22,\x22transaction_ids\x22:[\x8d8b8b8a-8c84-8888-8888-88888888888888\x22,\8d8b8b8a-8c84-8888-8888-88888888888888\x22,\8d8b8b8a-8c84-8888-8888-88888888888888\x22,\x8d8b8b8a-8c84-8888-8888-88888888888888\x22,\x8d8b8b8a-8c84-8888-8888-88888888888888 [hostname "x.x.com"] [uri "/trans/data"] [unique_id "VRCO-QobAq4AABnAKcsAAAAO"] What am I doing wrong here? |