|
From: Christian F. <chr...@ne...> - 2018-04-06 12:55:28
|
Yes, too bad. That would have been an elegant solution. The coverage for macro expansion has always been punctual in ModSecurity. I wish it was consistent and universal. See https://github.com/SpiderLabs/ModSecurity/issues/1725 for another example. Ahoj, Christian On Fri, Apr 06, 2018 at 02:45:43PM +0200, Eirik Øverby - ModSecurity wrote: > Hi, > > I'm on 3.0.2 with nginx - and I get this from modsec-rules-check: > Expecting an action, got: %{MATCHED_VAR_NAME},\ > > I think the above is enough to see that it doesn't work :) > > /Eirik > > > On 6 Apr 2018, at 14:40, Christian Folini <chr...@ne...> wrote: > > > > Hey Eirik, > > > > If it works, it would be "...attack-sqli;%{MATCHED_VAR_NAME}". I doubt this > > works, but I have been proved wrong on Monday night with a similar question, > > so don't trust me too much. > > > > ModSec2.9 is quite talkative on DebugLogLevel 9, so you should be able to > > tell if it worked based on the logfile. > > > > Ahoj, > > > > Christian > > > > > > On Fri, Apr 06, 2018 at 02:28:09PM +0200, Eirik Øverby - ModSecurity wrote: > >> Hi again, > >> > >>> On 5 Apr 2018, at 21:19, Eirik Øverby - ModSecurity <ltn...@an...> wrote: > >>>> SecRule REQUEST_URI "@beginsWith /mdpayacs/pareq" \ > >>>> "phase:1,id:1003,t:none,pass,nolog,chain,\ > >>>> ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:TermURL,\ > >>>> ctl:ruleRemoveTargetByTag=attack-rce;ARGS:TermURL,\ > >>>> ctl:ruleRemoveTargetByTag=attack-xss;ARGS:TermURL" > >>>> SecRule ARGS:TermURL "@beginsWith http" "t:none" > >>> > >>> before anyone comments - yes, I modified this to say phase:2 - does not make any difference.. > >> > >> The error, as it turned out, was that mod_security matches argument names in a case-sesnitive fashion, but our application does not. The TermURL parameter is sent to us from many different sources, with various degrees of CamelCasing and CAPItaliSation. > >> > >> Question: Can I use e.g. MATCHED_VAR_NAME as argument to ruleRemoteTargetBy*? For example > >> SecRule ARGS:/[Vv][Aa][Rr]/ "foo" "...... ctl:ruleRemoveTargetByTag=attack-sqli;MATCHED_VAR_NAME" > >> > >> I have tried this, with no success so far - also with ARGS: prefix to MATCHED_VAR_NAME. I've also tried to use it in a chained rule. > >> > >> /Eirik > >> ------------------------------------------------------------------------------ > >> Check out the vibrant tech community on one of the world's most > >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >> _______________________________________________ > >> mod-security-users mailing list > >> mod...@li... > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >> http://www.modsecurity.org/projects/commercial/rules/ > >> http://www.modsecurity.org/projects/commercial/support/ > > > > -- > > https://www.feistyduck.com/training/modsecurity-training-course > > https://www.feistyduck.com/books/modsecurity-handbook/ > > mailto:chr...@ne... > > twitter: @ChrFolini > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
