Re: [mod-security-users] Rules issue
Brought to you by:
victorhora,
zimmerletw
From: Chris H. <fb...@1c...> - 2006-06-24 01:03:05
|
Quoting Ivan Ristic: > On 6/23/06, Chris H.: >> Hello, and thank you for your response... >> >> Quoting Ivan Ristic: >> >> > On 6/23/06, Chris H.: >> >> >> SecFilterSelective "REMOTE_HOST" "bad.domain.name" "action(s)" >> >> > >> >> > The above would require Apache to resolve IP addresses to hostnames, >> >> > which no one does because of the rather large performance penalty >> >> > involved. >> >> >> >> Not an issue. Host name resolution is enabled for all our web servers. >> > >> > OK, I stand corrected. In that case you might want to use a ^ at the >> > beginning of a pattern, a $ at the and, and escape all dots. The rest >> > is fine. >> Excellent. Can I assume that the following will work/ be correct: >> >> SecFilterSelective "REMOTE_HOST" "^bad\.domain\.name|bad.domainB.name$" \ >> "action(s)" > > No, you are missing the parenthesses: > > SecFilterSelective "REMOTE_HOST" "^(bad\.domain\.name|bad.domainB.name)$" \ > "action(s)" Crap! I just noticed this when I read my reply and not only caught that but also that I hadn't escaped my second host in the list (bad.domainB.name _should_ have been expressed as bad\.domainB\.name) That's what I get for responding before finishing my morning coffee. :/ > > >> Fair enough. OTOH, not to put your work down, but may I ask why MS >> can't be, or isn't designed to handle long strings of /un/escaped >> dotted hosts or dotted quads? > > Because the second parameter is a regular expression. In regular > expression a dot is a metacharacter used to represent any character. > There's no way around that. You can find out more at > http://www.pcre.org. Of course. My bad. I /promise/ not to respond with stupid questions/ replies. As I /will/ wait till my brain is fully engauged - see; finish coffee first. ;) > > ModSecurity 2.x, however, supports multiple operators. Dots need not > be escaped with any of the additional ones. Excellent! That's the solution I was hoping for! On an interesting note regarding RegExp; I have the following rule in my global ruleset because I have found that more times than not, qurries to these guys are by ppl fishing for valid email addresses to spam: SecFilterSelective "REMOTE_HOST" \ "bosch.netcraft.com" \ "deny,log,redirect:http://www.google.com/search?q=%22403+Forbidden" and I got a hit almost immediately after responding to your reply: ======================================== UNIQUE_ID: RJxWH9ix8yIAAMOGFVs Request: 194.72.238.62 - - [23/Jun/2006:13:59:12 -0700] "\x16\x03\x01" 302 0 Handler: (null) ---------------------------------------- \x16\x03\x01 mod_security-message: Access denied with redirect to \ [http://www.google.com/search?q=%22403+Forbidden]. \ Pattern match "bosch.netcraft.com" at REMOTE_HOST. mod_security-action: 302 HTTP/0.9 Location: http://www.google.com/search?q=%22403+Forbidden Connection: close Note: the lack of escaped dots in my rule for bosch.netcraft.com - "bosch.netcraft.com" I can only imagine that this worked for two possible reasons 1) That I have mod_php4 compiled with PCRE and/ or 2) Because it's only a one liner and has no other host/domain names to match against. Anyway, thought it was worth mentioning. Would you suggest getting the CVS version of 2, or the latest v.2 archive on the mod_security home page? I really need to get on board with 2 in order to do any RBL testing/ development. :) Thank you very much for your reply. --Chris > > -- > Ivan Ristic, Technical Director > Thinking Stone, http://www.thinkingstone.com > ModSecurity: Open source Web Application Firewall > -- panic: kernel trap (ignored) ----------------------------------------------------------------- FreeBSD 5.4-RELEASE-p12 (SMP - 900x2) Tue Mar 7 19:37:23 PST 2006 ///////////////////////////////////////////////////////////////// |