|
From: Eirik Ø. - M. <ltn...@an...> - 2018-04-06 12:45:54
|
Hi,
I'm on 3.0.2 with nginx - and I get this from modsec-rules-check:
Expecting an action, got: %{MATCHED_VAR_NAME},\
I think the above is enough to see that it doesn't work :)
/Eirik
> On 6 Apr 2018, at 14:40, Christian Folini <chr...@ne...> wrote:
>
> Hey Eirik,
>
> If it works, it would be "...attack-sqli;%{MATCHED_VAR_NAME}". I doubt this
> works, but I have been proved wrong on Monday night with a similar question,
> so don't trust me too much.
>
> ModSec2.9 is quite talkative on DebugLogLevel 9, so you should be able to
> tell if it worked based on the logfile.
>
> Ahoj,
>
> Christian
>
>
> On Fri, Apr 06, 2018 at 02:28:09PM +0200, Eirik Øverby - ModSecurity wrote:
>> Hi again,
>>
>>> On 5 Apr 2018, at 21:19, Eirik Øverby - ModSecurity <ltn...@an...> wrote:
>>>> SecRule REQUEST_URI "@beginsWith /mdpayacs/pareq" \
>>>> "phase:1,id:1003,t:none,pass,nolog,chain,\
>>>> ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:TermURL,\
>>>> ctl:ruleRemoveTargetByTag=attack-rce;ARGS:TermURL,\
>>>> ctl:ruleRemoveTargetByTag=attack-xss;ARGS:TermURL"
>>>> SecRule ARGS:TermURL "@beginsWith http" "t:none"
>>>
>>> before anyone comments - yes, I modified this to say phase:2 - does not make any difference..
>>
>> The error, as it turned out, was that mod_security matches argument names in a case-sesnitive fashion, but our application does not. The TermURL parameter is sent to us from many different sources, with various degrees of CamelCasing and CAPItaliSation.
>>
>> Question: Can I use e.g. MATCHED_VAR_NAME as argument to ruleRemoteTargetBy*? For example
>> SecRule ARGS:/[Vv][Aa][Rr]/ "foo" "...... ctl:ruleRemoveTargetByTag=attack-sqli;MATCHED_VAR_NAME"
>>
>> I have tried this, with no success so far - also with ARGS: prefix to MATCHED_VAR_NAME. I've also tried to use it in a chained rule.
>>
>> /Eirik
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>
> --
> https://www.feistyduck.com/training/modsecurity-training-course
> https://www.feistyduck.com/books/modsecurity-handbook/
> mailto:chr...@ne...
> twitter: @ChrFolini
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
