Thread: [mod-security-users] Decode what is inside POST which was catched by mod_security
Brought to you by:
victorhora,
zimmerletw
From: <no...@o2...> - 2013-05-26 02:42:51
|
Hi I would like to find out what content was catch by mod_security. I was filtering REQUEST_FILENAME. Here is what I get: -------- [16/May/2013:14:23:24 +0900] UaFyHLAJcKkAADSrEa4AAAAC 188.50.59.235 52399 --04c1b432-B-- POST /script.php HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 Host: attacked-domain.com Content-Length: 488 Connection: Keep-Alive Cache-Control: no-cache --04c1b432-C-- lpkKtJ=T2thamNnbjlSY2VnOW9rYWpjZ251cmNlZ2hwMDIyNEJ7Y2ptbSxhbW8=&ebrxhU=SHwiLIoCv&mRXesd=b3ozLGxtcGduY3sscXZhLGFtbyxxYw==&dPiJy=PldRR1A8bG1wb2NdcWpjcHI%2BLVdRR1A8CD5MQ09HPCBMbXBvYyJRamNwciA%2BLUxDT0c8CD5RV0BI PCJBd3ZnIjM6e20idmdnbCJ2a2VqdiJgbW12eyJwa2ZrbGUiYGtlImZrYWk%2BLVFXQEg8Igg%2BUUBN Rls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLXBnYHd2dmdwcSxjbntwa2FjLGxndi1jZWM3Nyxqdm9u IDxBd3ZnIjM6e20idmdnbCJ2a2VqdiJgbW12eyJwa2ZrbGUiYGtlImZrYWk%2BLWM8Pi1ma3Q8CD4t UUBNRls8CA%3D%3D &LSHg=Y1JMZnV0Rk9VaFNOZA== --04c1b432-F-- HTTP/1.1 403 Forbidden Content-Length: 473 Connection: close Content-Type: text/html; charset=iso-8859-1 ---- I assume that text after --04c1b432-C-- is POST message send to script. I would like to know what does it mean, to build more specific rules of mod_security, which will filter ARGS not only filename. Thanks for any help Mike |
From: Josh Amishav-Z. <ja...@ow...> - 2013-05-26 07:00:40
|
On Sun, May 26, 2013 at 5:43 AM, <no...@o2...> wrote: > > I assume that text after --04c1b432-C-- is POST message send to script. I > would like to know what does it mean, to build more specific rules of > mod_security, which will filter ARGS not only filename. > > Hi Mike, That is correct, section C in the audit log shows the request body. You can access the request parameter values directly via the ARGS, ARGS_POST and ARGS_GET collections. If you know how the POST parameter values are encoded you can use one of the available transformation functions in your rule. For example, if the parameter values were base64 encoded you could use something like: SecRule ARGS "AttackString" "phase:2,id:1,t:none,t:base64Decode,block" -- - Josh |