Re: [mod-security-users] REQUEST_COOKIES_NAMES:/regex/ does not work

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hey Christian,

On Mon, Apr 2, 2018 at 1:38 PM, Christian Folini <
chr...@ne...> wrote:

> Hello Eric,
>
> On Mon, Apr 02, 2018 at 07:31:14PM +0000, Eric Wheeler wrote:
> > We have tried the following, but none have worked:
> >
> >       SecRuleUpdateTargetById 1234123413 "!REQUEST_COOKIES_NAMES:/_gac_
> UA-5521579-1/"
> >       SecRuleUpdateTargetById 1234123413 "!REQUEST_COOKIES:/_gac_UA-
> 5521579-1/"
> >
> >       SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:/_gac_UA-
> 5521579-1/"
> >
> >       SecRuleUpdateTargetById 1234123413 "!REQUEST_COOKIES_NAMES:_gac_
> UA-5521579-1"
> >       SecRuleUpdateTargetById 1234123413 "!REQUEST_COOKIES:_gac_UA-
> 5521579-1"
> >
> >
> > Interestingly, these two work, but are of course too permissive:
> >
> >       SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:/./"
> >       SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:Cookie"
>
> If
> SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:/./"
> works, it's undocumented behaviour. This does not really support regexes.
>

From
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#SecRuleUpdateTargetById
:

Note that is is also possible to use regular expressions in the target
specification:

SecRuleUpdateTargetById 981172 "!REQUEST_COOKIES:/^appl1_.*/"

Interestingly, neither of the following work for me:

SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:/./"
SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:Cookie"

And there is no meaningful log-level 9 debug information to indicate that
SecRuleUpdateTargetById did anything (im still walking through
https://github.com/SpiderLabs/ModSecurity/blob/72f632e9b6b2e63677cfba7e62a47efb87c90b48/apache2/re.c#L198
at this point- busy watching the Falcon 9 launch atm ;) ).