Re: [mod-security-users] REQUEST_COOKIES_NAMES:/regex/ does not work

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Okay, so I got the following to work (as expected), ignoring
SecRuleUpdateTargetById which I've never had much luck with:

SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(\d+) ?=
?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \

"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL
Injection
Attack',id:1234123413,tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2',deny"

SecRule ARGS:test "@streq foo"
"id:12345,deny,phase:2,msg:'lolnope',sanitiseArg:yomama"

SecAction
"ctl:ruleRemoveTargetById=1234123413;REQUEST_HEADERS:Cookie,id:12346,phase:1"

Relevent debug logs:

https://gist.github.com/p0pr0ck5/3d7b38c3c182604242449ff0b04c444d

@Eric, because your rule targets REQUEST_HEADERS and not COOKIES, you
cannot remove a specific cookie from this target. Headers and cookies are
treated as separated tables. You will either need to use an ignore or craft
a second rule that looks specifically at cookies.

BTW, you may want to evaluate the regex in question here; what specifically
are you trying to catch? It matches on a cookie only because of how cookies
are formed.

On Mon, Apr 2, 2018 at 1:41 PM, Robert Paprocki <
rpa...@fe...> wrote:

> Hey Christian,
>
> On Mon, Apr 2, 2018 at 1:38 PM, Christian Folini <
> chr...@ne...> wrote:
>
>> Hello Eric,
>>
>> On Mon, Apr 02, 2018 at 07:31:14PM +0000, Eric Wheeler wrote:
>> > We have tried the following, but none have worked:
>> >
>> >       SecRuleUpdateTargetById 1234123413 "!REQUEST_COOKIES_NAMES:/_gac_
>> UA-5521579-1/"
>> >       SecRuleUpdateTargetById 1234123413 "!REQUEST_COOKIES:/_gac_UA-552
>> 1579-1/"
>> >
>> >       SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:/_gac_UA-552
>> 1579-1/"
>> >
>> >       SecRuleUpdateTargetById 1234123413 "!REQUEST_COOKIES_NAMES:_gac_U
>> A-5521579-1"
>> >       SecRuleUpdateTargetById 1234123413 "!REQUEST_COOKIES:_gac_UA-5521
>> 579-1"
>> >
>> >
>> > Interestingly, these two work, but are of course too permissive:
>> >
>> >       SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:/./"
>> >       SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:Cookie"
>>
>> If
>> SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:/./"
>> works, it's undocumented behaviour. This does not really support regexes.
>>
>
> From https://github.com/SpiderLabs/ModSecurity/wiki/Reference-
> Manual-%28v2.x%29#SecRuleUpdateTargetById:
>
> Note that is is also possible to use regular expressions in the target
> specification:
>
> SecRuleUpdateTargetById 981172 "!REQUEST_COOKIES:/^appl1_.*/"
>
>
> Interestingly, neither of the following work for me:
>
> SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:/./"
> SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:Cookie"
>
> And there is no meaningful log-level 9 debug information to indicate that
> SecRuleUpdateTargetById did anything (im still walking through
> https://github.com/SpiderLabs/ModSecurity/blob/
> 72f632e9b6b2e63677cfba7e62a47efb87c90b48/apache2/re.c#L198 at this point-
> busy watching the Falcon 9 launch atm ;) ).
>