|
From: Christian F. <chr...@ne...> - 2018-04-06 12:40:18
|
Hey Eirik,
If it works, it would be "...attack-sqli;%{MATCHED_VAR_NAME}". I doubt this
works, but I have been proved wrong on Monday night with a similar question,
so don't trust me too much.
ModSec2.9 is quite talkative on DebugLogLevel 9, so you should be able to
tell if it worked based on the logfile.
Ahoj,
Christian
On Fri, Apr 06, 2018 at 02:28:09PM +0200, Eirik Øverby - ModSecurity wrote:
> Hi again,
>
> > On 5 Apr 2018, at 21:19, Eirik Øverby - ModSecurity <ltn...@an...> wrote:
> >> SecRule REQUEST_URI "@beginsWith /mdpayacs/pareq" \
> >> "phase:1,id:1003,t:none,pass,nolog,chain,\
> >> ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:TermURL,\
> >> ctl:ruleRemoveTargetByTag=attack-rce;ARGS:TermURL,\
> >> ctl:ruleRemoveTargetByTag=attack-xss;ARGS:TermURL"
> >> SecRule ARGS:TermURL "@beginsWith http" "t:none"
> >
> > before anyone comments - yes, I modified this to say phase:2 - does not make any difference..
>
> The error, as it turned out, was that mod_security matches argument names in a case-sesnitive fashion, but our application does not. The TermURL parameter is sent to us from many different sources, with various degrees of CamelCasing and CAPItaliSation.
>
> Question: Can I use e.g. MATCHED_VAR_NAME as argument to ruleRemoteTargetBy*? For example
> SecRule ARGS:/[Vv][Aa][Rr]/ "foo" "...... ctl:ruleRemoveTargetByTag=attack-sqli;MATCHED_VAR_NAME"
>
> I have tried this, with no success so far - also with ARGS: prefix to MATCHED_VAR_NAME. I've also tried to use it in a chained rule.
>
> /Eirik
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
--
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:chr...@ne...
twitter: @ChrFolini
|
