Re: [mod-security-users] Help w/ PCRE for ARGS and ARGS_NAME
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Help w/ PCRE for ARGS and ARGS_NAME
|
From: Neha C. <nc...@gm...> - 2015-04-06 23:22:29
|
Hello Achim,
Apologies for the delayed response, thank you for your message.
So I was reticent to follow this suggestion initially - it just felt wrong.
I assume if I create a whitelist - matching a specific argument, and I'm
specifying
that all rules should be removed by tag ".*", then there should be no
SecRule with a
tag that will trigger for this rule. These all go into crs_15_custom.conf.
I don't quite
understand why the whitelist doesn't have an affect on the SecRule that
triggers.
Of course, I puzzled over this and created a modified version of the rule,
and that's dealt with
issue, but of course it has come up again with another rule.. See follow-up
to Chaim's email.
On Thu, Mar 26, 2015 at 1:18 AM, Achim Hoffmann <web...@si...>
wrote:
> Hi Neha,
>
> the rule complains 'cause it detects more than 4 " (double quote), see
> the {4,} at end of the regex.
>
> You have to increase the number of allowed ".
> I'd suggest to copy the rule twice, then remove the " in first copy and
> reduce the second copy to " itself and give it a proper count.
> Example for the second copy
> (".*?){23,}
> Then also don't forget to disable the original rule (i.e. RemovebyId).
>
> Hope this helps
> Achim
>
> On 26.03.2015 04:20, Neha Chriss wrote:
> > Pattern match
> >
> "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}"
> > at ARGS_NAMES:{"data":{"description":"Foo
> >
> Bar","ids":["8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888"]}}.
> > [file
> >
> "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> > [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character
> Anomaly
> > Detection Alert - Total # of special characters exceeded"] [data "Matched
> > Data: \x22 found within
> > ARGS_NAMES:{\x22data\x22:{\x22description\x22:\x22Foo
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
