Re: [mod-security-users] SecFilterForceByteRange vs.validateByteRange
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] SecFilterForceByteRange vs.validateByteRange
|
From: Ofer S. <OferS@Breach.com> - 2006-11-07 19:11:55
|
The example in the core rule set may be useful. It is used in file
modsecurity_crs_20_protocol_violations.conf before all the specific
detection rules.
~ Ofer
# Whether to restrict which bytes can be used.
#
# TODO In order to be broad and support localized applications this rule
# only validates that protocol and application generated fields are
# limited to printable ASCII. For parameters the rule only checks
that=20
# the values do not include null bytes. If your application use is=20
# limited to English, replace the 2nd rule with the 3rd.=20
#
SecRule
REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:
Referer \
"@validateByteRange 32-126" \
"id:960015,severity:4,msg:'Request Missing an Accept header',\
t:urlDecode,t:urlDecodeUni"
SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \
"id:960901,severity:4,msg:'Request Missing an AcceptHeader', \
t:urlDecode,t:urlDecodeUni, phase:2"
#SecRule ARGS|ARGS_NAMES "@validateByteRange 10 13 32-126" \
"id:960901,severity:4,msg:'Request Missing an Accept Header', \
t:urlDecode,t:urlDecodeUni, phase:2"
> -----Original Message-----
> From: mod...@li... [mailto:mod-
> sec...@li...] On Behalf Of Ivan Ristic
> Sent: Tuesday, November 07, 2006 7:37 PM
> To: Achim Hoffmann
> Cc: mod...@li...
> Subject: Re: [mod-security-users] SecFilterForceByteRange
> vs.validateByteRange
>=20
> On 11/7/06, Achim Hoffmann <ah...@se...> wrote:
> > !!
> > !! You can use a single operator in a rule. Therefore
> @validateByteRange,
> > !! being an operator and not an action, can't be used "with" other
> staff.
> > !! Neither can it be used in SecDefaultAction.
> >
> > so I nee to use @validateByteRange in every rule then?
> > That's a pain if you have dozent of rules.
> >
> > ...
> >
> > !! - You can specify a different range for different variables.
> > !! - It has an "event" context (id, msg....)
> > !! - It is executed in the flow or rules rather than being a build
in
> > !! pre-check (Ivan, correct me if I'm wrong here).
> >
> > So we have some more features, that's good. But we lost the default,
> which
> > ends up in an error-prone modification of each rule.
> > Or do I miss something?
>=20
> No. The idea is to use @validateByteRange only once at the beginning
> of your rule set against all of the input. For example, just use it
> against ARGS and you're done. That's exactly how it worked before.
>=20
> --
> Ivan Ristic
>=20
>
------------------------------------------------------------------------
-
> Using Tomcat but need to do more? Need to support web services,
security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=3D=
121642
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
|