Re: [mod-security-users] regular expressions
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] regular expressions
|
From: Ryan B. <Rya...@Br...> - 2007-11-09 19:22:14
|
One item that will help is that we are planning on creating a "technical" FAQ to compliment the current general FAQ (http://www.modsecurity.org/documentation/faq.html). One item that we will add is for PCRE info, with links to our Blog entries on topic or external resources. In the mean time, here are a few Blog posts related to PCRE that may be helpful - http://www.modsecurity.org/blog/archives/2007/03/regular_express.html http://www.modsecurity.org/blog/archives/2006/12/using_modsecuri.html http://www.modsecurity.org/blog/archives/2007/06/optimizing_rega.html The first one is probably the most important as it mentions 2 tools for working with RegExs. I personally use Expresso to debug/verify my RegExs. It is has an outstanding "Analyzer" feature that will tell you in plain English what the rule is doing. --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache =20 --[ Upcoming Webcast - WASC Honeypot Update ]-- Wed, November 14th - 8:30 am, Pacific DT http://www.breach.com/resources/webinars.html =20 > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Terje Sannum > Sent: Friday, November 09, 2007 2:16 PM > To: Brian Rectanus > Cc: mod...@li... > Subject: Re: [mod-security-users] regular expressions >=20 > I also see benefit in regexp questions and discussions that will help > for better rules. But from your invitation I fear that this list will > be flooded with general regexp questions. Take this thread for an > example. Regexp learning should go somewhere else... >=20 > -Terje >=20 > On Nov 9, 2007 7:53 PM, Brian Rectanus <Bri...@br...> wrote: > > I see your point, but ModSecurity does nothing without rules. Most > > rules are using PCRE. Many issues that come up here are related to > > regex problems because of a lack of understanding of PCRE and how to > > write (fix or expand) regex rules . I do not see any problem with regex > > questions that relate and help with writing rules. > > > > Of course you need to use your best judgment and keep the posts > > ModSecurity related. > > > > thanks, > > -B > > > > > > Terje Sannum wrote: > > > Regexps can of course be hard to get into and understand, but IMO, > > > please keep the list clean and send general regexp questions somewhere > > > else... > > > > > > -Terje > > > > > > On Nov 9, 2007 7:01 PM, Brian Rectanus <Bri...@br...> > wrote: > > >> BTW All, > > >> > > >> Please continue to post questions as to what regex used in the rules > > >> mean. PCRE is hard to understand and follow at times. They take a > lot > > >> of practice to write well and read correctly. The Core Rules use > very > > >> complex regexes (further complicated by an optimizer) and many of > them > > >> are very difficult to read. > > >> > > >> Read up on the basics (http://perldoc.perl.org/perlre.html). > > >> > > >> If that does not answer your questions (and it is a very large > topic). > > >> I (or someone else here) would be happy to answer any PCRE questions. > > >> Becoming proficient in regex writing (or even reading) will help you > a > > >> lot in rule writing. > > >> > > >> If there is need (or want), perhaps I can put up a blog on the topic. > > >> > > >> later, > > >> -B > > >> > > >> > > >> Brian Rectanus wrote: > > >>> Hi Ken, > > >>> > > >>> Thanks for your feedback. See my comments inline... > > >>> > > >>> Ken Senior wrote: > > >>>> Can anyone give advice for demystifying regular expressions in > > >>>> Modsecurity? I know regular expressions in certain contexts, but > not in > > >>>> modsecurity. It would be really nice to include at least something > in > > >>>> the manual on this. For example, > > >>>> > > >>>> !^apache.*perl > > >>>> > > >>>> What does this mean? Does it mean NOT matching "apache" OR "perl". > If > > >>> > > >>> The '!' negates the regex as your have correctly stated. This is > > >>> actually in the docs for SecRule, but needs improved. > > >>> > > >>> The '^' anchors the match to the start of the string. The '.' means > > >>> "any character" and the '*' means "zero or more of the preceding > match" > > >>> which is a '.' in this case and thus '.*' means "anything, including > > >>> nothing". > > >>> > > >>> The entire regex means: > > >>> > > >>> Does not match the word "apache" at the start of the string followed > by > > >>> the word "perl" anywhere after that. > > >>> > > >>>> so, I'd like to add wget to the list. So, would this be: > > >>>> > > >>>> !^apache.*perl.*wget > > >>> > > >>> An OR is '|'. For example: > > >>> > > >>> !(?:^apache.*perl|wget) > > >>> > > >>> The '(?:<regex>)' groups a subregex without capturing the results. > A > > >>> (<regex>) does the same, but captures the results. The ?: version > is > > >>> just more efficient if you do not need the captured results. > > >>> > > >>> This regex then means: > > >>> > > >>> Does not match the word "apache" at the start of the string followed > by > > >>> the word "perl" anywhere after that NOR the word "wget" anywhere in > the > > >>> string. > > >>> > > >>> Hope that helps a bit. But you should consider reading the perl > > >>> compatible regular expressions docs. > > >>> > > >>> http://perldoc.perl.org/perlre.html > > >>> > > >>> -B > > >>> > > >> > > >> -- > > >> Brian Rectanus > > >> Breach Security > > >> > > >> --------------------------------------------------------------------- > ---- > > >> This SF.net email is sponsored by: Splunk Inc. > > >> Still grepping through log files to find problems? Stop. > > >> Now Search log events and configuration files using AJAX and a > browser. > > >> Download your FREE copy of Splunk now >> http://get.splunk.com/ > > >> _______________________________________________ > > >> mod-security-users mailing list > > >> mod...@li... > > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > > >> > > > > > > -- > > Brian Rectanus > > Breach Security > > >=20 > ------------------------------------------------------------------------ - > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |
