[mod-security-users] SecRule RESPONSE_BODY - "target value" is empty for 404 - even though the user
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] SecRule RESPONSE_BODY - "target value" is empty for 404 - even though the user is geting a body....
|
From: Martin S. <Mar...@am...> - 2013-03-08 13:23:16
|
Hi!
We have been (ab)using mod_security for enhanced logging of application data in apache (2.2.21)
So we have created rules like these:
# logging of request data
SecRule REQUEST_HEADERS:Content-Type "text/xml" "id:1000,phase:1,t:none,t:lowercase,pass,nolog,ctl:forceRequestBodyVariable=on"
SecRule REQUEST_BODY "<[Uu]sername>(.*)</[Uu]sername>" id:1001,phase:2,capture,t:none,setenv:SOAPUser=%{TX.1}
SecRule REQUEST_BODY "<wsse:Username>(.*)</wsse:Username>" id:1002,phase:2,capture,t:none,setenv:SOAPUser=%{TX.1}
# logging of response data
SecRule RESPONSE_STATUS "@rx ^[245]" id:1003,phase:4,chain
SecRule RESPONSE_BODY "@rx (<[0-9a-zA-Z]*?:?[Cc]ode>)([0-9]+)(</[0-9a-zA-Z]*?:?[Cc]ode>)" capture,t:none,setenv:AppCode=%{TX.2}
This works fine, except for the case where the application is sending a 404 Status (tomcat via mod_jk) - in that case it does NOT match...
I have enabled DEBUG logging (all the way to level 9) and get the following:
Here the example for a successful STATUS 401 response:
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Starting phase RESPONSE_BODY.
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] This phase consists of 2 rule(s).
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Recipe: Invoking rule 1780cf48; [file "/opt/.../apache/mod_security.conf"] [line "42"] [id "1003"].
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][5] Rule 1780cf48: SecRule "RESPONSE_STATUS" "@rx ^[245]" "phase:4,log,auditlog,pass,id:1003,chain"
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Transformation completed in 1 usec.
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Executing operator "rx" with param "^[245]" against RESPONSE_STATUS.
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Target value: "401"
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Operator completed in 8 usec.
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Rule returned 1.
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Match -> mode NEXT_RULE.
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Recipe: Invoking rule 1780d6b0; [file "/opt/.../apache/mod_security.conf"] [line "49"].
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][5] Rule 1780d6b0: SecRule "RESPONSE_BODY" "@rx (<.*[Cc]ode>)([0-9]+)(</.*[Cc]ode>)" "capture,t:none,setenv:AppCode=%{TX.2}"
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Transformation completed in 0 usec.
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Executing operator "rx" with param "(<.*[Cc]ode>)([0-9]+)(</.*[Cc]ode>)" against RESPONSE_BODY.
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Target value: "<?xml version="1.0" encoding="UTF-8"?>\r\n<Error>\r\n <Code>10001</Code>\r\n <Message>Authentication failure</Message>\r\n <Detail>The client has not been authenticated</Detail>\r\n</Error>\r\n"
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Added regex subexpression to TX.0: <?xml version="1.0" encoding="UTF-8"?>\r\n<Error>\r\n <Code>10001</Code>
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Added regex subexpression to TX.1: <?xml version="1.0" encoding="UTF-8"?>\r\n<Error>\r\n <Code>
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Added regex subexpression to TX.2: 10001
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Added regex subexpression to TX.3: </Code>
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Operator completed in 54 usec.
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Setting env variable: AppCode=%{TX.2}
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Resolved macro %{TX.2} to: 10001
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Set env variable "AppCode" to: 10001
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][2] Warning. Pattern match "(<.*[Cc]ode>)([0-9]+)(</.*[Cc]ode>)" at RESPONSE_BODY. [file "/opt/.../apache/mod_security.conf"] [line "42"] [id "1003"]
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Rule returned 1.
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Match -> mode NEXT_RULE.
[08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Output filter: Output forwarding complete.
So we see:
* Status: 401
* Target value: "<?xml version="1.0" encoding="UTF-8"?>\r\n<Error>\r\n <Code>10001</Code>\r\n <Message>Authentication failure</Message>\r\n <Detail>The client has not been authenticated</Detail>\r\n</Error>\r\n"
* SecRule matches
* AppCode" set to: 10001
So you see that in this case the APPCode environment variable gets set to 10001.
You can also see the Target value of:
So when we call the same thing, but trigger a Status 404, it looks like this instead:
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Starting phase RESPONSE_BODY.
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][9] This phase consists of 2 rule(s).
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Recipe: Invoking rule 1780cf48; [file "/opt/.../apache/mod_security.conf"
] [line "42"] [id "1003"].
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][5] Rule 1780cf48: SecRule "RESPONSE_STATUS" "@rx ^[245]" "phase:4,log,auditlog
,pass,id:1003,chain"
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Transformation completed in 1 usec.
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Executing operator "rx" with param "^[245]" against RESPONSE_STATUS.
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Target value: "404"
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Operator completed in 7 usec.
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Rule returned 1.
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Match -> mode NEXT_RULE.
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Recipe: Invoking rule 1780d6b0; [file "/opt/.../apache/mod_security.conf"
] [line "49"].
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][5] Rule 1780d6b0: SecRule "RESPONSE_BODY" "@rx (<.*[Cc]ode>)([0-9]+)(</.*[Cc]o
de>)" "capture,t:none,setenv:AppCode=%{TX.2}"
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Transformation completed in 0 usec.
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Executing operator "rx" with param "(<.*[Cc]ode>)([0-9]+)(</.*[Cc]ode>)" ag
ainst RESPONSE_BODY.
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Target value: ""
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Operator completed in 1 usec.
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Rule returned 0.
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][9] No match, not chained -> mode NEXT_RULE.
[08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Output filter: Output forwarding complete.
So we see:
* Status 404
* Target value: ""
* SecRule does not match
But what the caller does receive is the following:
> GET /url HTTP/1.1
> User-Agent: curl/7.26.0
> Host: host
> Accept: */*
> Authorization: WSSE profile=UsernameToken
> X-WSSE: UsernameToken Username="..."
> Content-Type: application/xml;charset=UTF-8
> Content-Length: 0
>
< HTTP/1.1 404 Not Found
< Date: Fri, 08 Mar 2013 12:44:14 GMT
< Server: Apache
< X-Context: WSCTX profile="RequestContext"
< X-WSCTX: RequestContext RequestUUID="...."
< Content-Length: 247
< Content-Type: application/xml
* HTTP error before end of send, stop sending
<
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Error xmlns="...<http://host/api>"><Code>40010</Code><Message>User not found</Message><Detail>Unable to find user: userId=...</Detail>
We tried this with mod_security 2.6.1 and now have also tried with mod_security 2.7.2 - both show the same behavior.
One other difference (besides the status code) between the responses is that one (the 401 case) returns a multi-line response while the other (failing-404) returns everything a single line.
Is there something special needed to make this work for status 404?
Or does this need a code-patch to work correctly?
Thanks,
Martin
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
|