[Mod-security-developers] initcol with value from XML parser?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[Mod-security-developers] initcol with value from XML parser?
|
From: Altgilbers, I. M <Ian...@tu...> - 2016-07-05 21:54:49
|
Is it possible to use values from the XML parser with initcol?
I have a WordPress server that is getting hit from distributed IPs, attempting to brute force a few accounts via xmlrpc.php. These are domain accounts, so the users end up with locked accounts, unable to do other work. There are some unsophisticated rules out there would that block brute force attackers by IP, but I need to block by username as well.
I can use the XML parser to get variables to evaluate… This rule properly blocks requests with username “admin”:
SecRule XML:/methodCall/params/param[1]/value "admin" "phase:2,id:19302,deny,log,msg:'XMLRPC - admin not allowed'"
But I’m not having any luck using initcol…
SecAction "initcol:user=%{XML:/methodCall/params/param[1]/value},phase:2,pass,nolog,id:000001"
gives me:
Failed to resolve macro %{xml:/methodcall/params/param[1]/value}: Unknown variable: xml:/methodcall/params/param[1]/value
If I leave off the Xpath query, I don’t get an error, but the user object ends up being the whole XML document, which doesn’t help. Any ideas?
Ian Altgilbers
Senior Systems Administrator
Educational Technology Services
Tufts Technology Services
Tufts University
Phone: 617.627.0388
http://it.tufts.edu/ests
|
