Re: [mod-security-users] SecFilterForceByteRange vs.validateByteRange
Brought to you by:
victorhora,
zimmerletw
From: Ofer S. <OferS@Breach.com> - 2006-11-07 19:11:55
|
The example in the core rule set may be useful. It is used in file modsecurity_crs_20_protocol_violations.conf before all the specific detection rules. ~ Ofer # Whether to restrict which bytes can be used. # # TODO In order to be broad and support localized applications this rule # only validates that protocol and application generated fields are # limited to printable ASCII. For parameters the rule only checks that=20 # the values do not include null bytes. If your application use is=20 # limited to English, replace the 2nd rule with the 3rd.=20 # SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS: Referer \ "@validateByteRange 32-126" \ "id:960015,severity:4,msg:'Request Missing an Accept header',\ t:urlDecode,t:urlDecodeUni" SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \ "id:960901,severity:4,msg:'Request Missing an AcceptHeader', \ t:urlDecode,t:urlDecodeUni, phase:2" #SecRule ARGS|ARGS_NAMES "@validateByteRange 10 13 32-126" \ "id:960901,severity:4,msg:'Request Missing an Accept Header', \ t:urlDecode,t:urlDecodeUni, phase:2" > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Ivan Ristic > Sent: Tuesday, November 07, 2006 7:37 PM > To: Achim Hoffmann > Cc: mod...@li... > Subject: Re: [mod-security-users] SecFilterForceByteRange > vs.validateByteRange >=20 > On 11/7/06, Achim Hoffmann <ah...@se...> wrote: > > !! > > !! You can use a single operator in a rule. Therefore > @validateByteRange, > > !! being an operator and not an action, can't be used "with" other > staff. > > !! Neither can it be used in SecDefaultAction. > > > > so I nee to use @validateByteRange in every rule then? > > That's a pain if you have dozent of rules. > > > > ... > > > > !! - You can specify a different range for different variables. > > !! - It has an "event" context (id, msg....) > > !! - It is executed in the flow or rules rather than being a build in > > !! pre-check (Ivan, correct me if I'm wrong here). > > > > So we have some more features, that's good. But we lost the default, > which > > ends up in an error-prone modification of each rule. > > Or do I miss something? >=20 > No. The idea is to use @validateByteRange only once at the beginning > of your rule set against all of the input. For example, just use it > against ARGS and you're done. That's exactly how it worked before. >=20 > -- > Ivan Ristic >=20 > ------------------------------------------------------------------------ - > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=3D= 121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |