Re: [mod-security-users] Help w/ PCRE for ARGS and ARGS_NAME
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Help w/ PCRE for ARGS and ARGS_NAME
|
From: Chaim S. <CSa...@tr...> - 2015-03-27 14:04:25
|
Neha, Also keep in mind that this rule is from the 2.x branch of CRS. The 3.x branch is available on the CRS github (https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-dev) and doesn't feature this logic anymore. If you are using ModSecurity 2.8 or above, you might find this to be an easier solution. Chaim Sanders Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com -----Original Message----- From: Achim Hoffmann [mailto:web...@si...] Sent: Thursday, March 26, 2015 4:19 AM To: mod...@li... Subject: Re: [mod-security-users] Help w/ PCRE for ARGS and ARGS_NAME Hi Neha, the rule complains 'cause it detects more than 4 " (double quote), see the {4,} at end of the regex. You have to increase the number of allowed ". I'd suggest to copy the rule twice, then remove the " in first copy and reduce the second copy to " itself and give it a proper count. Example for the second copy (".*?){23,} Then also don't forget to disable the original rule (i.e. RemovebyId). Hope this helps Achim On 26.03.2015 04:20, Neha Chriss wrote: > Pattern match > "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" > at ARGS_NAMES:{"data":{"description":"Foo > Bar","ids":["8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888"]}}. > [file > "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_i > njection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg > "Restricted SQL Character Anomaly Detection Alert - Total # of special > characters exceeded"] [data "Matched > Data: \x22 found within > ARGS_NAMES:{\x22data\x22:{\x22description\x22:\x22Foo ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://scanmail.trustwave.com/?c=4062&d=y8eT1Y5Y6qVz80rm1YEUHkDf9W90AUyIu8VSAQw5sA&s=5&u=http%3a%2f%2fgoparallel%2esourceforge%2enet%2f _______________________________________________ mod-security-users mailing list mod...@li... http://scanmail.trustwave.com/?c=4062&d=y8eT1Y5Y6qVz80rm1YEUHkDf9W90AUyIu5lQV1hl4g&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://scanmail.trustwave.com/?c=4062&d=zMeT1UBtG5Uoq86lLGnMMA4Ok77G4vFBwXcSCVX6bQ&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2frules%2f http://scanmail.trustwave.com/?c=4062&d=zMeT1UBtG5Uoq86lLGnMMA4Ok77G4vFBwXYWW1muOA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2fsupport%2f ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
