Re: [mod-security-users] regular expressions
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] regular expressions
|
From: Terje S. <te...@wa...> - 2007-11-09 20:07:48
|
I think we understand each other very well, and I'm just afraid of this list will be flooded with basic regexp questions, it does take some time to learn that "languange"... On Nov 9, 2007 8:21 PM, Ryan Barnett <Rya...@br...> wrote: > One item that will help is that we are planning on creating a > "technical" FAQ to compliment the current general FAQ > (http://www.modsecurity.org/documentation/faq.html). One item that we > will add is for PCRE info, with links to our Blog entries on topic or > external resources. In the mean time, here are a few Blog posts related > to PCRE that may be helpful - > > http://www.modsecurity.org/blog/archives/2007/03/regular_express.html > http://www.modsecurity.org/blog/archives/2006/12/using_modsecuri.html > http://www.modsecurity.org/blog/archives/2007/06/optimizing_rega.html > > The first one is probably the most important as it mentions 2 tools for > working with RegExs. I personally use Expresso to debug/verify my > RegExs. It is has an outstanding "Analyzer" feature that will tell you > in plain English what the rule is doing. > > -- > Ryan C. Barnett > ModSecurity Community Manager > Breach Security: Director of Training > Web Application Security Consortium (WASC) Member > CIS Apache Benchmark Project Lead > SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > Author: Preventing Web Attacks with Apache > > --[ Upcoming Webcast - WASC Honeypot Update ]-- > Wed, November 14th - 8:30 am, Pacific DT > http://www.breach.com/resources/webinars.html > > > > > -----Original Message----- > > From: mod...@li... [mailto:mod- > > sec...@li...] On Behalf Of Terje > Sannum > > Sent: Friday, November 09, 2007 2:16 PM > > To: Brian Rectanus > > Cc: mod...@li... > > Subject: Re: [mod-security-users] regular expressions > > > > I also see benefit in regexp questions and discussions that will help > > for better rules. But from your invitation I fear that this list will > > be flooded with general regexp questions. Take this thread for an > > example. Regexp learning should go somewhere else... > > > > -Terje > > > > On Nov 9, 2007 7:53 PM, Brian Rectanus <Bri...@br...> > wrote: > > > I see your point, but ModSecurity does nothing without rules. Most > > > rules are using PCRE. Many issues that come up here are related to > > > regex problems because of a lack of understanding of PCRE and how to > > > write (fix or expand) regex rules . I do not see any problem with > regex > > > questions that relate and help with writing rules. > > > > > > Of course you need to use your best judgment and keep the posts > > > ModSecurity related. > > > > > > thanks, > > > -B > > > > > > > > > Terje Sannum wrote: > > > > Regexps can of course be hard to get into and understand, but IMO, > > > > please keep the list clean and send general regexp questions > somewhere > > > > else... > > > > > > > > -Terje > > > > > > > > On Nov 9, 2007 7:01 PM, Brian Rectanus <Bri...@br...> > > wrote: > > > >> BTW All, > > > >> > > > >> Please continue to post questions as to what regex used in the > rules > > > >> mean. PCRE is hard to understand and follow at times. They take > a > > lot > > > >> of practice to write well and read correctly. The Core Rules use > > very > > > >> complex regexes (further complicated by an optimizer) and many of > > them > > > >> are very difficult to read. > > > >> > > > >> Read up on the basics (http://perldoc.perl.org/perlre.html). > > > >> > > > >> If that does not answer your questions (and it is a very large > > topic). > > > >> I (or someone else here) would be happy to answer any PCRE > questions. > > > >> Becoming proficient in regex writing (or even reading) will help > you > > a > > > >> lot in rule writing. > > > >> > > > >> If there is need (or want), perhaps I can put up a blog on the > topic. > > > >> > > > >> later, > > > >> -B > > > >> > > > >> > > > >> Brian Rectanus wrote: > > > >>> Hi Ken, > > > >>> > > > >>> Thanks for your feedback. See my comments inline... > > > >>> > > > >>> Ken Senior wrote: > > > >>>> Can anyone give advice for demystifying regular expressions in > > > >>>> Modsecurity? I know regular expressions in certain contexts, > but > > not in > > > >>>> modsecurity. It would be really nice to include at least > something > > in > > > >>>> the manual on this. For example, > > > >>>> > > > >>>> !^apache.*perl > > > >>>> > > > >>>> What does this mean? Does it mean NOT matching "apache" OR > "perl". > > If > > > >>> > > > >>> The '!' negates the regex as your have correctly stated. This > is > > > >>> actually in the docs for SecRule, but needs improved. > > > >>> > > > >>> The '^' anchors the match to the start of the string. The '.' > means > > > >>> "any character" and the '*' means "zero or more of the preceding > > match" > > > >>> which is a '.' in this case and thus '.*' means "anything, > including > > > >>> nothing". > > > >>> > > > >>> The entire regex means: > > > >>> > > > >>> Does not match the word "apache" at the start of the string > followed > > by > > > >>> the word "perl" anywhere after that. > > > >>> > > > >>>> so, I'd like to add wget to the list. So, would this be: > > > >>>> > > > >>>> !^apache.*perl.*wget > > > >>> > > > >>> An OR is '|'. For example: > > > >>> > > > >>> !(?:^apache.*perl|wget) > > > >>> > > > >>> The '(?:<regex>)' groups a subregex without capturing the > results. > > A > > > >>> (<regex>) does the same, but captures the results. The ?: > version > > is > > > >>> just more efficient if you do not need the captured results. > > > >>> > > > >>> This regex then means: > > > >>> > > > >>> Does not match the word "apache" at the start of the string > followed > > by > > > >>> the word "perl" anywhere after that NOR the word "wget" anywhere > in > > the > > > >>> string. > > > >>> > > > >>> Hope that helps a bit. But you should consider reading the perl > > > >>> compatible regular expressions docs. > > > >>> > > > >>> http://perldoc.perl.org/perlre.html > > > >>> > > > >>> -B > > > >>> > > > >> > > > >> -- > > > >> Brian Rectanus > > > >> Breach Security > > > >> > > > >> > --------------------------------------------------------------------- > > ---- > > > >> This SF.net email is sponsored by: Splunk Inc. > > > >> Still grepping through log files to find problems? Stop. > > > >> Now Search log events and configuration files using AJAX and a > > browser. > > > >> Download your FREE copy of Splunk now >> http://get.splunk.com/ > > > >> _______________________________________________ > > > >> mod-security-users mailing list > > > >> mod...@li... > > > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > >> > > > > > > > > > -- > > > Brian Rectanus > > > Breach Security > > > > > > > > ------------------------------------------------------------------------ > > - > > This SF.net email is sponsored by: Splunk Inc. > > Still grepping through log files to find problems? Stop. > > Now Search log events and configuration files using AJAX and a > browser. > > Download your FREE copy of Splunk now >> http://get.splunk.com/ > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
