Re: [mod-security-users] Help w/ PCRE for ARGS and ARGS_NAME

[Neha C. <nc...@gm...>]

Chaim,

I will consider updating to the 3.x branch. In the meantime, I'm not quite
clear why my whitelist
for a specific ARGS_NAME is failing to suppress rules associated with the
ARGS_NAME:

I have a SecRule that's supposed to filter an ARGS_NAMES variable that
looks like so:

{"data":{"uuid":"contact-3861","newContact":true,"contact_uuid":"1734cd84-cfb2-4b61-ab93-84c","contact_name":"Howard","initial_date":"2015-04-08","bookkeeping_type":"debit","request_goal_id":null,"amount":8640,"associate_with_goal":"true","periodicity":"once","category-id":"contact-3861","category-name":"Uncategorized","pin":"2675","contact_valid":"true","arrive_by":"2015-04-14"}

This is passed in the Request Body on a PUT and/or POST.

The  SecRule:

SecRule ARGS_NAMES:"(\{\"(data)\"\:)((\{\"[a-z_]+\"\:).*)" "(.*)"
"id:308,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=.*;ARGS_NAMES:(\{\"(data)\"\:)((\{\"[a-z_]+\"\:).*)"

The regex matches the ARGS_NAMES itself, as I've tested on regexr.com, but
Modsecurity still alerts on ID 981245 and 981243, each with has a tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"

In some cases, I think the Request body needs to be split, and the request
fragment triggers an alert also.


Why doesn't ctlruleRemoveTargetByTag work correctly here? Is my rule
structured correctly? It seems the ARGS_NAMES doesn't match, and the
request gets processed as normal.


Thanks,

Neha





On Fri, Mar 27, 2015 at 7:04 AM, Chaim Sanders <CSa...@tr...>
wrote:

> Neha,
> Also keep in mind that this rule is from the 2.x branch of CRS. The 3.x
> branch is available on the CRS github (
> https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-dev) and
> doesn't feature this logic anymore. If you are using ModSecurity 2.8 or
> above, you might find this to be an easier solution.
>
> Chaim Sanders
> Security Researcher, SpiderLabs
>
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com
>
>
> -----Original Message-----
> From: Achim Hoffmann [mailto:web...@si...]
> Sent: Thursday, March 26, 2015 4:19 AM
> To: mod...@li...
> Subject: Re: [mod-security-users] Help w/ PCRE for ARGS and ARGS_NAME
>
> Hi Neha,
>
> the rule complains 'cause it detects more than 4 " (double quote), see the
> {4,} at end of the regex.
>
> You have to increase the number of allowed ".
> I'd suggest to copy the rule twice, then remove the " in first copy and
> reduce the second copy to " itself and give it a proper count.
> Example for the second copy
>    (".*?){23,}
> Then also don't forget to disable the original rule (i.e. RemovebyId).
>
> Hope this helps
> Achim
>
> On 26.03.2015 04:20, Neha Chriss wrote:
> > Pattern match
> >
> "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}"
> > at ARGS_NAMES:{"data":{"description":"Foo
> >
> Bar","ids":["8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888","8d8b8b8a-8c84-8888-8888-88888888888888"]}}.
> > [file
> > "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_i
> > njection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg
> > "Restricted SQL Character Anomaly Detection Alert - Total # of special
> > characters exceeded"] [data "Matched
> > Data: \x22 found within
> > ARGS_NAMES:{\x22data\x22:{\x22description\x22:\x22Foo
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now.
> http://scanmail.trustwave.com/?c=4062&d=y8eT1Y5Y6qVz80rm1YEUHkDf9W90AUyIu8VSAQw5sA&s=5&u=http%3a%2f%2fgoparallel%2esourceforge%2enet%2f
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
>
> http://scanmail.trustwave.com/?c=4062&d=y8eT1Y5Y6qVz80rm1YEUHkDf9W90AUyIu5lQV1hl4g&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>
> http://scanmail.trustwave.com/?c=4062&d=zMeT1UBtG5Uoq86lLGnMMA4Ok77G4vFBwXcSCVX6bQ&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2frules%2f
>
> http://scanmail.trustwave.com/?c=4062&d=zMeT1UBtG5Uoq86lLGnMMA4Ok77G4vFBwXYWW1muOA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2fsupport%2f
>
> ________________________________
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>