Re: [mod-security-users] Query String Wildcard Params
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Query String Wildcard Params
|
From: Ryan B. <Rya...@Br...> - 2008-08-26 21:09:01
|
________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of entracity inc Sent: Tuesday, August 26, 2008 4:50 PM To: mod...@li... Subject: [mod-security-users] Query String Wildcard Params I'm having trouble using wildcard characters with request query parameters; none of the following seem to accomplish what I'd like: SecRule REQUEST_LINE "CHAR(4000);SET" "nolog,deny,status:501,ctl:auditEngine=Off" SecRule REQUEST_LINE "DECLARE" "nolog,deny,status:501,ctl:auditEngine=Off" SecRule REQUEST_LINE "DeCLARE" "nolog,deny,status:501,ctl:auditEngine=Off" SecRule REQUEST_LINE "S=CAST" "nolog,deny,status:501,ctl:auditEngine=Off" SecRule REQUEST_LINE "@contains CHAR(4000);SET" "nolog,deny,status:501,ctl:auditEngine=Off" SecRule REQUEST_LINE "@contains DECLARE" "nolog,deny,status:501,ctl:auditEngine=Off" SecRule REQUEST_LINE "@contains DeCLARE" "nolog,deny,status:501,ctl:auditEngine=Off" SecRule QUERY_STRING "S=CAST" "nolog,deny,status:501,ctl:auditEngine=Off" SecRule QUERY_STRING "CHAR(4000)" "nolog,deny,status:501,ctl:auditEngine=Off" SecRule QUERY_STRING ";SET" "nolog,deny,status:501,ctl:auditEngine=Off" SecRule QUERY_STRING "DECLARE" "nolog,deny,status:501,ctl:auditEngine=Off" SecRule QUERY_STRING "DeCLARE" "nolog,deny,status:501,ctl:auditEngine=Off" SecRule QUERY_STRING "S=CAST" "nolog,deny,status:501,ctl:auditEngine=Off" SecRule QUERY_STRING "@contains CHAR(4000)" "nolog,deny,status:501,ctl:auditEngine=Off" SecRule QUERY_STRING "@contains ;SET" "nolog,deny,status:501,ctl:auditEngine=Off" SecRule QUERY_STRING "@contains DECLARE" "nolog,deny,status:501,ctl:auditEngine=Off" SecRule QUERY_STRING "@contains DeCLARE" "nolog,deny,status:501,ctl:auditEngine=Off" Any help is appreciated :) [Ryan Barnett] Two comments - 1) My guess as to why these are not matching is that these rules are inheriting the default transformation function of lowercase. What version are you using? You could add "t:none" to your action list. 2) You shouldn't need to add in these custom rules if you are using the Core Rule Set as rule ID 959001 will catch it. Are you not using the Core Rules? |
