|
From: Jose P. V. L. <pab...@gm...> - 2016-09-28 01:33:43
|
Hi again. I found in google play a book about mod_security where it explains operator negation with 2 ARGS values in the same rule: https://books.google.es/books?id=HnQl5OVtOYgC&pg=PA86&lpg=PA86&dq=modsecurity+ARGS+multiple+arguments&source=bl&ots=0ErmQ9AdOf&sig=cyJ9R_d--8SYkp7aCYJxCTGPPNw&hl=es&sa=X&ved=0ahUKEwjtp6qr8rDPAhVDVhQKHQLsDl4Q6AEIWTAH#v=onepage&q=modsecurity%20ARGS%20multiple%20arguments&f=false [image: Imágenes integradas 1] As you can see the rule is: SecRule ARGS:p|ARGS:q "!@eq 5" so I think is clear you can check in a rule for many ARGS values you need until you reach a limit as all computers have (I think if you try with 5000 ARGS probably your SBDM and collection files will work badly or maybe not, I didn't tested), but I think Leonardo will be able to create a rule with many ARGS in the same rule he will need unless Ryan or Felipe amend me. Kind regards. 2016-09-28 2:40 GMT+02:00 Jose Pablo Valcárcel Lázaro < pab...@gm...>: > Also here you can find multimatch rules using several variables that could > get several values determined by regular expressions but a normal string > could be in a regular expression with no scapes, expansion characters and > so on: https://www.trustwave.com/Resources/SpiderLabs-Blog/ > ModSecurity-SQL-Injection-Challenge--Lessons-Learned/ > > I think if it is possible write rules like this one it should be possible > pass several arguments to ARGS variables to look for different values: > > SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_ > FILENAME|ARGS_NAMES|ARGS|XML:/* \ > "(?i:(\!\=|\&\&|\|\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp| > isnull)|(?:not\s+between\s+0\s+and)|(?:is\s+null)|(like\s+ > null)|(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\))|(?:xor|<>| > rlike(?:\s+binary)?)|(?:regexp\s+binary))" \ > "phase:2,rev:'2.2.2',capture,t:none,t:urlDecodeUni,block,msg:'SQL > Injection Attack: SQL Operator Detected',id:'981212',logdata: > '%{TX.0}',severity:'2',tag:'WEB_ATTACK/SQL_INJECTION',tag: > 'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_ > AppSensor/CIE1',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}' > ,setvar:tx.sql_injection_score=+%{tx.notice_anomaly_ > score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{ > rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}" > > Kind regards > > El mar., 27 de septiembre de 2016 23:14, Jose Pablo Valcárcel Lázaro < > pab...@gm...> escribió: > >> Hi. >> >> Take a look in this directive in mod_security documentation: >> ARGS_NAMES >> >> Contains all request parameter names. You can search for specific >> parameter names that you want to inspect. In a positive policy scenario, >> you can also whitelist (using an inverted rule with the exclamation mark) >> only the authorized argument names. This example rule allows only two >> argument names: p and a: >> >> SecRule ARGS_NAMES "!^(p|a)$" "id:13" >> >> You can see how he's using several matches/coincidences with the logical >> OR matching everything that is not p or a so I guess ARGS could support >> same format because is also a variable. >> >> You also can check how in ARGS are used several inclusion/exclusion in >> this example: >> It is also possible to specify exclusions. The following will examine all >> request arguments for the word dirty, except the ones named z (again, there >> can be zero or more arguments named z): >> SecRule ARGS|!ARGS:z dirty "id:9" >> >> You could write something like: >> SecRule ARGS|ARGS:z dirty "id:9 >> So ARGS could be dirty or z. >> >> Someone here defined ARGS as a array of key-value: >> http://stackoverflow.com/questions/17147596/what-does- >> args-args-names-actually-mean-in-mod-security-crs >> >> ARGS_NAMES = "pretty_arg","ugly_arg" >> ARGS = "pretty_arg:test123","ugly_arg:345test" >> >> El mar., 27 de septiembre de 2016 22:29, Christian Folini < >> chr...@ne...> escribió: >> >>> Hello José, >>> >>> On Tue, Sep 27, 2016 at 06:36:15PM +0000, Jose Pablo Valcárcel Lázaro >>> wrote: >>> > I mean try with your rule but in this way: >>> > ctl:ruleRemoveTargetById=981173;ARGS:/Text|To|Cc|Bcc/ >>> > RecaptchaResponse/q\[]/,\ >>> >>> Unfortunately, it is not as easy as that. At least I never got this to >>> work. >>> >>> There are three different places where you want to apply a regular >>> expression in a ModSec Rule. >>> >>> SecRule Variable "@operator parameter" "actionlist,ctl:command;Variable" >>> >>> In the Variable: >>> Limited regex capability >>> Example: ARGS:/^text.*/ >>> Limit: Logical OR (-> |) does not work >>> In the operator parameter: >>> Full regex capability >>> Example: (?i:(\!\=|\&\&|\|\||>>|<<|>=|<=|<>|<=>|\bxor\b|... >>> Limit: none that I would know of >>> In the action-ctl-command-variable >>> Your example >>> No regex capability >>> >>> Leonardo could also try the SecRuleUpdateTargetById form of a rule >>> exclusion, but the logical OR is equally unsupported in that situation. >>> So I guess, there is no easy way here. >>> >>> Best, >>> >>> Christian >>> >>> >>> >>> >>> >>> > >>> > Kind regards >>> > >>> > El mar., 27 de septiembre de 2016 20:23, Jose Pablo Valcárcel Lázaro < >>> > pab...@gm...> escribió: >>> > >>> > > Hi Leonardo. Take a look on this link: >>> > > http://stackoverflow.com/questions/30064053/mod- >>> security-whitelist-multiple-conditions >>> > > >>> > > He is using the logical OR of C development to check some conditions: >>> > > SecRule ARGS "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" >>> > > >>> > > So like in a if in C you can check for a condition OR another like >>> > > If CONDITION1 | | CONDITION2 >>> > > {} >>> > > >>> > > Here only uses a | but is "the same", you will check if it's some >>> ARG or >>> > > another. >>> > > >>> > > Give a try and ley me know if it works with | >>> > > >>> > > Kind regards >>> > > >>> > > >>> > > El mar., 27 de septiembre de 2016 20:13, Leonardo Bacha Abrantes < >>> > > leo...@lb...> escribió: >>> > > >>> > >> Hi Jose, >>> > >> >>> > >> >>> > >> I have a rule below that is working, however the trouble now is >>> that I'm >>> > >> creating an exception for each argument, I mean, create a line for >>> each >>> > >> 'Text,To,Cc,Bcc' and what else appear for all rules. It's a lot of >>> lines! >>> > >> >>> > >> >>> > >> >>> > >> SecRule SERVER_ADDR "@ipMatch 192.168.1.17" >>> > >> id:1000007,phase:1,nolog,t:none,pass,\ >>> > >> ctl:ruleRemoveTargetById=981231;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=950901;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=981173;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=981173;ARGS:To,\ >>> > >> ctl:ruleRemoveTargetById=981173;ARGS:Cc,\ >>> > >> ctl:ruleRemoveTargetById=981173;ARGS:Bcc,\ >>> > >> ctl:ruleRemoveTargetById=981173;ARGS:RecaptchaResponse,\ >>> > >> ctl:ruleRemoveTargetById=981173;ARGS:q[],\ >>> > >> ctl:ruleRemoveTargetById=981257;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=981231;ARGS:RecaptchaResponse,\ >>> > >> ctl:ruleRemoveTargetById=981248;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=981245;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=981245;ARGS:To,\ >>> > >> ctl:ruleRemoveTargetById=981245;ARGS:Cc,\ >>> > >> ctl:ruleRemoveTargetById=981245;ARGS:Bcc,\ >>> > >> ctl:ruleRemoveTargetById=981240;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=981243;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=973338;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=973300;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=973304;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=973335;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=973334;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=973300;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=973304;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=973333;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=973306;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=973316;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=981318;ARGS:Text,\ >>> > >> ctl:ruleRemoveTargetById=981318;ARGS:To,\ >>> > >> ctl:ruleRemoveTargetById=981318;ARGS:Cc,\ >>> > >> ctl:ruleRemoveTargetById=981318;ARGS:Bcc,\ >>> > >> ctl:ruleRemoveTargetById=950901;ARGS:To >>> > >> >>> > >> >>> > >> I tested this >>> > >> ctl:ruleRemoveTargetById=981173;ARGS:/Text/To/Cc/Bcc/ >>> RecaptchaResponse/q\[]/,\ >>> > >> >>> > >> but didn't work. >>> > >> >>> > >> could you give me some help about how can I write it in an >>> efficient way ? >>> > >> >>> > >> Many thanks! >>> > >> >>> > >> On Tue, Sep 27, 2016 at 7:11 AM, Leonardo Bacha Abrantes < >>> > >> leo...@lb...> wrote: >>> > >> >>> > >>> Hi Jose, >>> > >>> >>> > >>> Many thanks!! >>> > >>> >>> > >>> I will try it... >>> > >>> >>> > >>> >>> > >>> >>> > >>> On Mon, Sep 26, 2016 at 4:11 PM, Jose Pablo Valcárcel Lázaro < >>> > >>> pab...@gm...> wrote: >>> > >>> >>> > >>>> And finally you will find here how are disabled some rules with >>> > >>>> SERVER_NAME directive: >>> > >>>> https://dripuonlinux.wordpress.com/2013/02/21/mod- >>> security-whitelist-issue/ >>> > >>>> >>> > >>>> Kind regards >>> > >>>> >>> > >>>> >>> > >>>> El lun., 26 de septiembre de 2016 21:01, Jose Pablo Valcárcel >>> Lázaro < >>> > >>>> pab...@gm...> escribió: >>> > >>>> >>> > >>>>> Hi again. >>> > >>>>> >>> > >>>>> I found a cpanel domain customizing rule not using .htaccess >>> files: >>> > >>>>> >>> > >>>>> SecRule SERVER_NAME "domain\.com" "t:lowercase" >>> > >>>>> >>> > >>>>> >>> > >>>>> https://forums.cpanel.net/threads/modsecurity-rule-only- >>> for-specific-domain-account.508081/ >>> > >>>>> >>> > >>>>> Checking mod_security documentation we see the directive you need >>> > >>>>> is SERVER_NAME: >>> > >>>>> SERVER_NAME >>> > >>>>> >>> > >>>>> This variable contains the transaction’s hostname or IP address, >>> taken >>> > >>>>> from the request itself (which means that, in principle, it >>> should not be >>> > >>>>> trusted). >>> > >>>>> >>> > >>>>> SecRule SERVER_NAME "hostname\.com$" "id:68" >>> > >>>>> >>> > >>>>> Try with SERVER_NAME instead of hosts directive. Normally issues >>> you >>> > >>>>> will find when mod_security is behind reverse proxy or load >>> balancer but >>> > >>>>> you have x-forwarded-for. >>> > >>>>> >>> > >>>>> Try it and check mod_security logs in reverse proxy. >>> > >>>>> >>> > >>>>> Kind regards >>> > >>>>> >>> > >>>>> >>> > >>>>> El lun., 26 de septiembre de 2016 20:48, Leonardo Bacha Abrantes >>> < >>> > >>>>> leo...@lb...> escribió: >>> > >>>>> >>> > >>>>>> Hi Jose, >>> > >>>>>> >>> > >>>>>> Thanks for the tip. >>> > >>>>>> No, I didn't compile modsecurity with --enable-htaccess-config >>> > >>>>>> option. I forgot to say that machine is a reverse proxy with >>> modsecurity >>> > >>>>>> and it only do a proxypass to another server (where there is no >>> modsec >>> > >>>>>> installed) that has multiple virtual hosts. >>> > >>>>>> >>> > >>>>>> many thanks! >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> >>> > >>>>>> On Mon, Sep 26, 2016 at 12:49 PM, Jose Pablo Valcárcel Lázaro < >>> > >>>>>> pab...@gm...> wrote: >>> > >>>>>> >>> > >>>>>>> I would check if your mod_security allows .htaccess config >>> > >>>>>>> files:DISABLE_HTACCESS_CONFIG when compiling or check it >>> creating a >>> > >>>>>>> .htaccess file for that domain. >>> > >>>>>>> --enable-htaccess-config - It will allow the follow directives >>> to be >>> > >>>>>>> used into .htaccess files when AllowOverride Options is set >>> > >>>>>>> >>> > >>>>>>> Once you configure AllowOverride on apache then you will be >>> able to >>> > >>>>>>> wrote custom mod_security rules for multiple domains creating >>> a .htaccess >>> > >>>>>>> with customized mod_security rules. Once you create that >>> .htaccess you will >>> > >>>>>>> have to reload apache. >>> > >>>>>>> >>> > >>>>>>> Check mod_security logs to see if rules are right written. >>> > >>>>>>> >>> > >>>>>>> Kind regards >>> > >>>>>>> >>> > >>>>>>> >>> > >>>>>>> >>> > >>>>>>> El lun., 26 de septiembre de 2016 17:36, Leonardo Bacha >>> Abrantes < >>> > >>>>>>> leo...@lb...> escribió: >>> > >>>>>>> >>> > >>>>>>>> Hi guys, >>> > >>>>>>>> >>> > >>>>>>>> I have a server that host multiple virtual hosts, and am >>> needing to >>> > >>>>>>>> create exceptions rules for the specific address >>> www.mysite.com >>> > >>>>>>>> for the rule SecRuleUpdateTargetById 981173 >>> > >>>>>>>> !ARGS:'RecaptchaResponse',!ARGS:'q[]' >>> > >>>>>>>> >>> > >>>>>>>> >>> > >>>>>>>> I created the rules below to test but it's not working: >>> > >>>>>>>> >>> > >>>>>>>> >>> > >>>>>>>> >>> > >>>>>>>> SecRule REQUEST_HEADERS:Host "www.mysite.com$" >>> > >>>>>>>> "phase:1,t:none,nolog,id:1000007,chain,pass,ctl: >>> RuleUpdateTargetById=981173!ARGS:'RecaptchaResponse'" >>> > >>>>>>>> >>> > >>>>>>>> ---------- >>> > >>>>>>>> >>> > >>>>>>>> SecRule REQUEST_HEADERS:Host "www.mysite.com$" >>> > >>>>>>>> id:1000007,phase:1,chain,nolog,t:none,allow >>> > >>>>>>>> SecRuleUpdateTargetById 981173 >>> > >>>>>>>> !ARGS:'RecaptchaResponse',!ARGS:'q[]' >>> > >>>>>>>> >>> > >>>>>>>> >>> > >>>>>>>> >>> > >>>>>>>> Could you please give some help to create this rule ? >>> > >>>>>>>> >>> > >>>>>>>> many thanks! >>> > >>>>>>>> >>> > >>>>>>>> >>> > >>>>>>>> >>> > >>>>>>>> ------------------------------------------------------------ >>> ------------------ >>> > >>>>>>>> _______________________________________________ >>> > >>>>>>>> mod-security-users mailing list >>> > >>>>>>>> mod...@li... >>> > >>>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security- >>> users >>> > >>>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>> > >>>>>>>> SpiderLabs: >>> > >>>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>> > >>>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>> > >>>>>>>> >>> > >>>>>>> >>> > >>>>>>> >>> > >>>>>>> ------------------------------------------------------------ >>> ------------------ >>> > >>>>>>> >>> > >>>>>>> _______________________________________________ >>> > >>>>>>> mod-security-users mailing list >>> > >>>>>>> mod...@li... >>> > >>>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security- >>> users >>> > >>>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> > >>>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>> > >>>>>>> http://www.modsecurity.org/projects/commercial/support/ >>> > >>>>>>> >>> > >>>>>>> >>> > >>>>>> >>> > >>>>>> ------------------------------------------------------------ >>> ------------------ >>> > >>>>>> _______________________________________________ >>> > >>>>>> mod-security-users mailing list >>> > >>>>>> mod...@li... >>> > >>>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> > >>>>>> Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> > >>>>>> http://www.modsecurity.org/projects/commercial/rules/ >>> > >>>>>> http://www.modsecurity.org/projects/commercial/support/ >>> > >>>>>> >>> > >>>>> >>> > >>>> >>> > >>>> ------------------------------------------------------------ >>> ------------------ >>> > >>>> >>> > >>>> _______________________________________________ >>> > >>>> mod-security-users mailing list >>> > >>>> mod...@li... >>> > >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> > >>>> Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> > >>>> http://www.modsecurity.org/projects/commercial/rules/ >>> > >>>> http://www.modsecurity.org/projects/commercial/support/ >>> > >>>> >>> > >>>> >>> > >>> >>> > >> >>> > >> ------------------------------------------------------------ >>> ------------------ >>> > >> _______________________________________________ >>> > >> mod-security-users mailing list >>> > >> mod...@li... >>> > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> > >> Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> > >> http://www.modsecurity.org/projects/commercial/rules/ >>> > >> http://www.modsecurity.org/projects/commercial/support/ >>> > >> >>> > > >>> >>> > ------------------------------------------------------------ >>> ------------------ >>> >>> > _______________________________________________ >>> > mod-security-users mailing list >>> > mod...@li... >>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> > http://www.modsecurity.org/projects/commercial/rules/ >>> > http://www.modsecurity.org/projects/commercial/support/ >>> >>> >>> -- >>> https://www.feistyduck.com/training/modsecurity-training-course >>> mailto:chr...@ne... >>> twitter: @ChrFolini >>> >>> ------------------------------------------------------------ >>> ------------------ >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> |
