Re: [mod-security-users] Problem with regexp in ModSecurity
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-11-27 17:54:51
|
Christian is correct. I know that I sound like a broken record sometimes but... what does the debug log say??? You may need to increase the log level (I use 9 in testing) to see exactly what is happening. --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache > -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Christian > Bockermann > Sent: Tuesday, November 27, 2007 12:37 PM > To: Mathieu Dessus > Cc: mod...@li... > Subject: Re: [mod-security-users] Problem with regexp in ModSecurity >=20 > Hi! >=20 > Mathieu Dessus wrote: > > I have a problem with a regular expression. Let's consider the following > > regexp: > > > > SecRule ARGS:password "!@rx ^(?=3D.*\d)([\x20-\x7E]){6,20}$" deny > > > > SecRule ARGS:password "!@rx ^(?=3D.*[a-z])([\x20-\x7E]){6,20}$" deny > > > > SecRule ARGS:password "!@rx ^(?=3D.*[A-Z])([\x20-\x7E]){6,20}$" deny > > > > and the following test strings: > > a): abcdefg > > b): abcdef1 > > c): abcdefG > > > > The first and second regexp, works as I would expect (for the first one, > > strings a and c are denied, and for the second none of the three strings > > are denied), but for the last regexp, all the three strings are denied. > > > > Anyone can see where is the problem ? > > > Hm... I don't see the intended behaviour of your rules ;-) >=20 > However, without any knowledge of your complete setup, you > may struggle with a transformation-problem here. IIRC, ModSecurity > does have a transformation "toLower" enabled by default (at least in > the current stable version, this changes in the 2.5!!). > So without any SecDefaultAction directive beforehand all your > regexp's will be matched against the lower-case value. You can > get the "original" version by adding "t:none" to the list of actions > of your rules. >=20 > Regards, > Chris >=20 > ------------------------------------------------------------------------ - > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |