|
From: Eirik Ø. - M. <ltn...@an...> - 2018-04-06 12:28:26
|
Hi again, > On 5 Apr 2018, at 21:19, Eirik Øverby - ModSecurity <ltn...@an...> wrote: >> SecRule REQUEST_URI "@beginsWith /mdpayacs/pareq" \ >> "phase:1,id:1003,t:none,pass,nolog,chain,\ >> ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:TermURL,\ >> ctl:ruleRemoveTargetByTag=attack-rce;ARGS:TermURL,\ >> ctl:ruleRemoveTargetByTag=attack-xss;ARGS:TermURL" >> SecRule ARGS:TermURL "@beginsWith http" "t:none" > > before anyone comments - yes, I modified this to say phase:2 - does not make any difference.. The error, as it turned out, was that mod_security matches argument names in a case-sesnitive fashion, but our application does not. The TermURL parameter is sent to us from many different sources, with various degrees of CamelCasing and CAPItaliSation. Question: Can I use e.g. MATCHED_VAR_NAME as argument to ruleRemoteTargetBy*? For example SecRule ARGS:/[Vv][Aa][Rr]/ "foo" "...... ctl:ruleRemoveTargetByTag=attack-sqli;MATCHED_VAR_NAME" I have tried this, with no success so far - also with ARGS: prefix to MATCHED_VAR_NAME. I've also tried to use it in a chained rule. /Eirik |
