Re: [Mod-security-developers] sanitizeMatchedBytes question
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] sanitizeMatchedBytes question
|
From: Breno S. <bre...@gm...> - 2011-07-11 20:51:35
|
Hey Jeff,
Looking at the code, since we are using part of the same code of
sanitzematched and it doesn't support RESPONSE_BODY variable you are seeing
that msg. The reason for that is it's not common people enable RESPONSE_BODY
to be logged in production env, because the log dir/file will increase a
lot.
I will discuss internally if we will move to the direction to support
RESPONSE_BODY in sanitizematched action.
Thanks
Breno
On Mon, Jul 11, 2011 at 3:44 PM, Breno Silva <bre...@gm...> wrote:
> Hi Jeff,
>
> This seems to be a bug. I will take a look
>
> thanks
>
> Breno
>
> On Mon, Jul 11, 2011 at 3:34 PM, Jeff Sundquist <jef...@gm...>wrote:
>
>> I'm not able to get sanitizeMatchedBytes to work for RESPONSE_BODY and
>> want to confirm that this should actually work.
>>
>> I'm using the rule from the documentation:
>>
>> SecRule RESPONSE_BODY "@verifyCC \d{13,16}"
>> "phase:4,t:none,log,capture,block,msg:'Potential credit card number is
>> response body',sanitiseMatchedBytes:0/4"
>>
>> and I see the rule "fire" but it has all the credit card info intact.
>>
>> When I turn on debug I see this:
>>
>> sanitizeMatched: Don't know how to handle variable: RESPONSE_BODY
>>
>> and when I look at the code it doesn't look like there is any logic to
>> sanitize the response body in msc_logging.c.
>>
>> Before I go forward with trying to add this functionality I wanted to make
>> sure that I wasn't missing something obvious....
>>
>> Thanks,
>> Jeff
>>
>>
>>
>> ------------------------------------------------------------------------------
>> All of the data generated in your IT infrastructure is seriously valuable.
>> Why? It contains a definitive record of application performance, security
>> threats, fraudulent activity, and more. Splunk takes this data and makes
>> sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-d2d-c2
>> _______________________________________________
>> mod-security-developers mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>
>
|
