Re: [Mod-security-developers] initcol with value from XML parser?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] initcol with value from XML parser?
|
From: Altgilbers, I. M <Ian...@tu...> - 2016-07-06 03:21:49
|
Ahh.. I didn’t see the users list. I'll post my question to that list.
I’ll also try your suggestion… seems like it could work.
Thanks,
Ian
On Jul 5, 2016, at 11:05 PM, Christian Folini <chr...@ne...<mailto:chr...@ne...>> wrote:
Ian,
This is a question which is better addresses to modsec users.
I think this would work if you would save the XML value in a
temporary variable and use that variable with initcol afterwards.
I have not tested this, but I do not see why it would not work
that way, while your construct is smart, but maybe too difficult
for ModSec.
Ahoj,
Christian
On Tue, Jul 05, 2016 at 08:48:56PM +0000, Altgilbers, Ian M wrote:
Is it possible to use values from the XML parser with initcol?
I have a WordPress server that is getting hit from distributed IPs, attempting to brute force a few accounts via xmlrpc.php. These are domain accounts, so the users end up with locked accounts, unable to do other work. There are some unsophisticated rules out there would that block brute force attackers by IP, but I need to block by username as well.
I can use the XML parser to get variables to evaluate… This rule properly blocks requests with username “admin”:
SecRule XML:/methodCall/params/param[1]/value "admin" "phase:2,id:19302,deny,log,msg:'XMLRPC - admin not allowed'"
But I’m not having any luck using initcol…
SecAction "initcol:user=%{XML:/methodCall/params/param[1]/value},phase:2,pass,nolog,id:000001"
gives me:
Failed to resolve macro %{xml:/methodcall/params/param[1]/value}: Unknown variable: xml:/methodcall/params/param[1]/value
If I leave off the Xpath query, I don’t get an error, but the user object ends up being the whole XML document, which doesn’t help. Any ideas?
Ian Altgilbers
Senior Systems Administrator
Educational Technology Services
Tufts Technology Services
Tufts University
Phone: 617.627.0388
http://it.tufts.edu/ests
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
mod-security-developers mailing list
mod...@li...<mailto:mod...@li...>
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php
--
ModSecurity Training in London: Sep 22/23, 2016
https://www.feistyduck.com/training/modsecurity-training-course
mailto:chr...@ne...
twitter: @ChrFolini
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
mod-security-developers mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php
Ian Altgilbers
Senior Systems Administrator
Educational Technology Services
Tufts Technology Services
Tufts University
Phone: 617.627.0388
http://it.tufts.edu/ests
|
