Re: [mod-security-users] Best Practice for Overriding Core Rule Behavior
Brought to you by:
victorhora,
zimmerletw
From: Art A. S. <art...@gm...> - 2011-08-02 16:53:34
|
Ryan, SecRuleUpdateTargetById sounds like a great addition. Unfortunately, I'm stuck in 2.5.12, since that is what is available with the package manager. As far as replacing the core rule using a new ID, I tried that as well and the new rule failed to have effect. I'm unclear on how the dependencies work between this rule and the subsequent rules in the group. Maybe it is not possible to replace just the first rule? And does my replacement rule need to run before the crs_49 rules that compute the blocking score? If so, how do I arrange that? Can you provide a working example for modifying both the target and the @ge operator value that works in 2.5.12? Greatly appreciated, Sam On Tue, Aug 2, 2011 at 8:55 AM, Ryan Barnett <RBa...@tr...> wrote: > > > On 7/31/11 7:31 PM, "Art Age Software" <art...@gm...> wrote: > >>I'm at a bit of a loss as to how to override rule behavior under the >>new core rules scheme. Previously, using the old-style core rules, I >>was able to use SecRuleRemoveById to remove a rule and then SecRule to >>immediately redefine it. This no longer seems to work. > > If you create a new rule, it should have a new rule ID. Don't reuse the > same rule ID as there can be issues with duplicate rule IDs and/or when > you try and use SecRuleRemoveById. > > >>Here is a >>specific example I am trying to solve: >> >># [ SQL Injection Character Anomaly Usage ] >># Adjust the the @ge operator value appropriately for your site. >># >>SecRule >>REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML >>:/* >>"@pm ~ ! @ # $ % ^ & * ( ) - + = { } [ ] | : ; \" ' ´ ¹ Œ ` < >" >>"phase:2,id:'973020',t:none,t:urlDecodeUni,nolog,pass,setvar:'tx.restricte >>d_sqli_char_payloads_%{matched_var_name}=%{matched_var}'" >>. >>. >>. >>SecRule TX:RESTRICTED_SQLI_CHAR_COUNT "@ge 4" >>"phase:2,t:none,block,id:'981173',rev:'2.2.1',msg:'Restricted SQL >>Character Anomaly Detection Alert - Total # of special characters >>exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_a >>nomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}' >>,setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name} >>=%{tx.0}" >> >> >>I would like to adjust the @ge operator value as suggested, without >>altering the core rule. Something like this in my Apache virtual host >>config block: >> >><VirtualHost> >> SecRuleRemoveById 981173 >> SecRule TX:RESTRICTED_SQLI_CHAR_COUNT "@ge 10" >>"phase:2,t:none,block,id:'981173',rev:'2.2.1',msg:'Restricted SQL >>Character Anomaly Detection Alert - Total # of special characters >>exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_a >>nomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}' >>,setvar:tx.%{rule.id}-WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name} >>=%{tx.0}" >></VirtualHost> > > If you do this, then make sure you use a new custom rule ID from an > internal range - > http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Referenc > e_Manual#id > >> >> >>Also, let's say I don't want to inspect cookie data. I would like to >>do something like this: >> >><VirtualHost> >> SecRuleRemoveById 973020 >> SecRule REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* >>"@pm ~ ! @ # $ % ^ & * ( ) - + = { } [ ] | : ; \" ' ´ ¹ Œ ` < >" >>"phase:2,id:'973020',t:none,t:urlDecodeUni,nolog,pass,setvar:'tx.restricte >>d_sqli_char_payloads_%{matched_var_name}=%{matched_var}'" >></VirtualHost> > > ModSecurity v2.6 introduced a few new methods for externally manipulating > rules to handle local exceptions. In this case, I would recommend that > you use SecRuleUpdateTargetById - > http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Referenc > e_Manual#SecRuleUpdateTargetById > > You could add this to your vhost container - > > SecRuleUpdateTargetById 973020 !REQUEST_COOKIES > > -Ryan > > >> >>What's the best practice for modifying the behavior of core rules >>without editing the actual rules files? >> >>-------------------------------------------------------------------------- >>---- >>Got Input? Slashdot Needs You. >>Take our quick survey online. Come on, we don't ask for help often. >>Plus, you'll get a chance to win $100 to spend on ThinkGeek. >>http://p.sf.net/sfu/slashdot-survey >>_______________________________________________ >>mod-security-users mailing list >>mod...@li... >>https://lists.sourceforge.net/lists/listinfo/mod-security-users >>ModSecurity Services from Trustwave's SpiderLabs: >>https://www.trustwave.com/spiderLabs.php >> > > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. > > |