Re: [mod-security-users] Exclude URI for 950910 rule
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Exclude URI for 950910 rule
|
From: <chr...@po...> - 2009-05-07 06:33:02
|
I like this SecRuleUpdateTargetsById idea. Would it make sense to allow this as a ctl.-action too?
That way you can issue the command/action with a condition.
Regs,
Christian
--
Christian Folini, IT 222
Webserver Security Engineer
________________________________
Von: Ryan Barnett [mailto:Rya...@br...]
Gesendet: Mittwoch, 6. Mai 2009 21:28
An: Clayton Dillard; modsec-users
Betreff: Re: [mod-security-users] Exclude URI for 950910 rule
The best current approach for your situation would probably be to keep the existing 950910 rule the way that it is and delete your custom rule in the *60* file. Create a modsecurity_15_customrules.conf file and add the following-
SecRule REQUEST_FILENAME "@beginsWith /sgpsurvey/request" "phase:1,t:none,nolog,pass,ctl:removeRuleById=950910"
This would disable the rule if the request is for the specified URI.
FYI - we have discussed the possibility of adding a new directive similar to SecRuleUpdateActionByID but for the target/variables. Something like SecRuleUpdateTargetsById and this would allow you to do something like the following -
SecRuleUpdateTargetsById 950910 "!REQUEST_URI"
The would merge with the rule and result in the following rule -
SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES|!REQUEST_URI "%0[ad]" \
"phase:2,t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'950910',logdata:'%{TX.0}',severity:'1'"
This new directive would help with this type of local exception scenario where you would prefer to deal with this externally to the rule itself.
-Ryan
From: Clayton Dillard [mailto:cla...@gm...]
Sent: Wednesday, May 06, 2009 2:50 PM
To: modsec-users
Subject: [mod-security-users] Exclude URI for 950910 rule
We have a form that one of our developers created that uses GET to submit and in the form there is a text field that accepts multiple lines. Rule 950910 is flagging submissions that include carriage returns and line feeds as Response Splitting attacks. I wrote a modified rule and put it in our modsecurity_60 rules file but it does not work. The user is still being blocked when submitting the form after entering in one or more line feeds or carriage returns into the box.
The URL to the form is www.myserver.com/sgpsurvey/request/?PAGE=FinishPage&ACTION=SAVE<http://www.myserver.com/sgpsurvey/request/?PAGE=FinishPage&ACTION=SAVE> so I'm trying to get ModSec to ignore "%0[ad]" if it is found in a URI that includes /sgpsurvey/request.
Here's my rule that does not work. Any assistance would be great!
SecRule !REQUEST_URI "^\/sgpsurvey\/request." "phase:2,t:none,t:lowercase,capture,ctl:auditLogParts=+E,pass,log,auditlog
SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES "%0[ad]" \
"phase:2,t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'8',logdata:'%{TX.0}',severity:'1'"
I tried to include the !REQUEST_URI "^\/sgpsurvey\/request." on the same line as REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES "%0[ad]" \ but got an error of:
Syntax error on line 126 of /usr/local/apache2/conf/modsecurity/modsecurity_crs_60_customrules.conf:
SecRule takes two or three arguments, rule target, operator and optional action list
The failing rule looks like this:
SecRule !REQUEST_URI "^\/sgpsurvey\/request."|REQUEST_HEADERS|REQUEST_HEADERS_NAMES "%0[ad]" \ "phase:2,t:none,t:lowercase,capture,ctl:auditLogParts=+E,pass,log,auditlog
"phase:2,t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'8',logdata:'%{TX.0}',severity:'1'"
|