[mod-security-users] SecRule RESPONSE_BODY - "target value" is empty for 404 - even though the user
Brought to you by:
victorhora,
zimmerletw
From: Martin S. <Mar...@am...> - 2013-03-08 13:23:16
|
Hi! We have been (ab)using mod_security for enhanced logging of application data in apache (2.2.21) So we have created rules like these: # logging of request data SecRule REQUEST_HEADERS:Content-Type "text/xml" "id:1000,phase:1,t:none,t:lowercase,pass,nolog,ctl:forceRequestBodyVariable=on" SecRule REQUEST_BODY "<[Uu]sername>(.*)</[Uu]sername>" id:1001,phase:2,capture,t:none,setenv:SOAPUser=%{TX.1} SecRule REQUEST_BODY "<wsse:Username>(.*)</wsse:Username>" id:1002,phase:2,capture,t:none,setenv:SOAPUser=%{TX.1} # logging of response data SecRule RESPONSE_STATUS "@rx ^[245]" id:1003,phase:4,chain SecRule RESPONSE_BODY "@rx (<[0-9a-zA-Z]*?:?[Cc]ode>)([0-9]+)(</[0-9a-zA-Z]*?:?[Cc]ode>)" capture,t:none,setenv:AppCode=%{TX.2} This works fine, except for the case where the application is sending a 404 Status (tomcat via mod_jk) - in that case it does NOT match... I have enabled DEBUG logging (all the way to level 9) and get the following: Here the example for a successful STATUS 401 response: [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Starting phase RESPONSE_BODY. [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] This phase consists of 2 rule(s). [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Recipe: Invoking rule 1780cf48; [file "/opt/.../apache/mod_security.conf"] [line "42"] [id "1003"]. [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][5] Rule 1780cf48: SecRule "RESPONSE_STATUS" "@rx ^[245]" "phase:4,log,auditlog,pass,id:1003,chain" [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Transformation completed in 1 usec. [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Executing operator "rx" with param "^[245]" against RESPONSE_STATUS. [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Target value: "401" [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Operator completed in 8 usec. [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Rule returned 1. [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Match -> mode NEXT_RULE. [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Recipe: Invoking rule 1780d6b0; [file "/opt/.../apache/mod_security.conf"] [line "49"]. [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][5] Rule 1780d6b0: SecRule "RESPONSE_BODY" "@rx (<.*[Cc]ode>)([0-9]+)(</.*[Cc]ode>)" "capture,t:none,setenv:AppCode=%{TX.2}" [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Transformation completed in 0 usec. [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Executing operator "rx" with param "(<.*[Cc]ode>)([0-9]+)(</.*[Cc]ode>)" against RESPONSE_BODY. [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Target value: "<?xml version="1.0" encoding="UTF-8"?>\r\n<Error>\r\n <Code>10001</Code>\r\n <Message>Authentication failure</Message>\r\n <Detail>The client has not been authenticated</Detail>\r\n</Error>\r\n" [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Added regex subexpression to TX.0: <?xml version="1.0" encoding="UTF-8"?>\r\n<Error>\r\n <Code>10001</Code> [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Added regex subexpression to TX.1: <?xml version="1.0" encoding="UTF-8"?>\r\n<Error>\r\n <Code> [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Added regex subexpression to TX.2: 10001 [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Added regex subexpression to TX.3: </Code> [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Operator completed in 54 usec. [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Setting env variable: AppCode=%{TX.2} [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Resolved macro %{TX.2} to: 10001 [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Set env variable "AppCode" to: 10001 [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][2] Warning. Pattern match "(<.*[Cc]ode>)([0-9]+)(</.*[Cc]ode>)" at RESPONSE_BODY. [file "/opt/.../apache/mod_security.conf"] [line "42"] [id "1003"] [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Rule returned 1. [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Match -> mode NEXT_RULE. [08/Mar/2013:04:11:45 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Output filter: Output forwarding complete. So we see: * Status: 401 * Target value: "<?xml version="1.0" encoding="UTF-8"?>\r\n<Error>\r\n <Code>10001</Code>\r\n <Message>Authentication failure</Message>\r\n <Detail>The client has not been authenticated</Detail>\r\n</Error>\r\n" * SecRule matches * AppCode" set to: 10001 So you see that in this case the APPCode environment variable gets set to 10001. You can also see the Target value of: So when we call the same thing, but trigger a Status 404, it looks like this instead: [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Starting phase RESPONSE_BODY. [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][9] This phase consists of 2 rule(s). [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Recipe: Invoking rule 1780cf48; [file "/opt/.../apache/mod_security.conf" ] [line "42"] [id "1003"]. [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][5] Rule 1780cf48: SecRule "RESPONSE_STATUS" "@rx ^[245]" "phase:4,log,auditlog ,pass,id:1003,chain" [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Transformation completed in 1 usec. [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Executing operator "rx" with param "^[245]" against RESPONSE_STATUS. [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Target value: "404" [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Operator completed in 7 usec. [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Rule returned 1. [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Match -> mode NEXT_RULE. [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Recipe: Invoking rule 1780d6b0; [file "/opt/.../apache/mod_security.conf" ] [line "49"]. [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][5] Rule 1780d6b0: SecRule "RESPONSE_BODY" "@rx (<.*[Cc]ode>)([0-9]+)(</.*[Cc]o de>)" "capture,t:none,setenv:AppCode=%{TX.2}" [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Transformation completed in 0 usec. [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Executing operator "rx" with param "(<.*[Cc]ode>)([0-9]+)(</.*[Cc]ode>)" ag ainst RESPONSE_BODY. [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][9] Target value: "" [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Operator completed in 1 usec. [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Rule returned 0. [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][9] No match, not chained -> mode NEXT_RULE. [08/Mar/2013:04:10:05 --0800] [host/sid#177de910][rid#1785cc00][/url][4] Output filter: Output forwarding complete. So we see: * Status 404 * Target value: "" * SecRule does not match But what the caller does receive is the following: > GET /url HTTP/1.1 > User-Agent: curl/7.26.0 > Host: host > Accept: */* > Authorization: WSSE profile=UsernameToken > X-WSSE: UsernameToken Username="..." > Content-Type: application/xml;charset=UTF-8 > Content-Length: 0 > < HTTP/1.1 404 Not Found < Date: Fri, 08 Mar 2013 12:44:14 GMT < Server: Apache < X-Context: WSCTX profile="RequestContext" < X-WSCTX: RequestContext RequestUUID="...." < Content-Length: 247 < Content-Type: application/xml * HTTP error before end of send, stop sending < * Closing connection #0 * SSLv3, TLS alert, Client hello (1): <?xml version="1.0" encoding="UTF-8" standalone="yes"?><Error xmlns="...<http://host/api>"><Code>40010</Code><Message>User not found</Message><Detail>Unable to find user: userId=...</Detail> We tried this with mod_security 2.6.1 and now have also tried with mod_security 2.7.2 - both show the same behavior. One other difference (besides the status code) between the responses is that one (the 401 case) returns a multi-line response while the other (failing-404) returns everything a single line. Is there something special needed to make this work for status 404? Or does this need a code-patch to work correctly? Thanks, Martin This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp |