|
From: Eirik Ø. - M. <ltn...@an...> - 2018-04-06 19:07:59
|
Hi, And there is no way I can achieve the same in some other way than repeating the ctl: action as many times as there are ways to spell the parameter name? I tried feeding it regex there (as it does allow regex in the SecRule itself), didn't work of course. I'd rather not disable all processing for all parameters.. /Eirik > On 6 Apr 2018, at 14:55, Christian Folini <chr...@ne...> wrote: > > Yes, too bad. That would have been an elegant solution. > > The coverage for macro expansion has always been punctual in ModSecurity. > I wish it was consistent and universal. > > See https://github.com/SpiderLabs/ModSecurity/issues/1725 > for another example. > > Ahoj, > > Christian > > On Fri, Apr 06, 2018 at 02:45:43PM +0200, Eirik Øverby - ModSecurity wrote: >> Hi, >> >> I'm on 3.0.2 with nginx - and I get this from modsec-rules-check: >> Expecting an action, got: %{MATCHED_VAR_NAME},\ >> >> I think the above is enough to see that it doesn't work :) >> >> /Eirik >> >>> On 6 Apr 2018, at 14:40, Christian Folini <chr...@ne...> wrote: >>> >>> Hey Eirik, >>> >>> If it works, it would be "...attack-sqli;%{MATCHED_VAR_NAME}". I doubt this >>> works, but I have been proved wrong on Monday night with a similar question, >>> so don't trust me too much. >>> >>> ModSec2.9 is quite talkative on DebugLogLevel 9, so you should be able to >>> tell if it worked based on the logfile. >>> >>> Ahoj, >>> >>> Christian >>> >>> >>> On Fri, Apr 06, 2018 at 02:28:09PM +0200, Eirik Øverby - ModSecurity wrote: >>>> Hi again, >>>> >>>>> On 5 Apr 2018, at 21:19, Eirik Øverby - ModSecurity <ltn...@an...> wrote: >>>>>> SecRule REQUEST_URI "@beginsWith /mdpayacs/pareq" \ >>>>>> "phase:1,id:1003,t:none,pass,nolog,chain,\ >>>>>> ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:TermURL,\ >>>>>> ctl:ruleRemoveTargetByTag=attack-rce;ARGS:TermURL,\ >>>>>> ctl:ruleRemoveTargetByTag=attack-xss;ARGS:TermURL" >>>>>> SecRule ARGS:TermURL "@beginsWith http" "t:none" >>>>> >>>>> before anyone comments - yes, I modified this to say phase:2 - does not make any difference.. >>>> >>>> The error, as it turned out, was that mod_security matches argument names in a case-sesnitive fashion, but our application does not. The TermURL parameter is sent to us from many different sources, with various degrees of CamelCasing and CAPItaliSation. >>>> >>>> Question: Can I use e.g. MATCHED_VAR_NAME as argument to ruleRemoteTargetBy*? For example >>>> SecRule ARGS:/[Vv][Aa][Rr]/ "foo" "...... ctl:ruleRemoveTargetByTag=attack-sqli;MATCHED_VAR_NAME" >>>> >>>> I have tried this, with no success so far - also with ARGS: prefix to MATCHED_VAR_NAME. I've also tried to use it in a chained rule. >>>> >>>> /Eirik >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>> >>> -- >>> https://www.feistyduck.com/training/modsecurity-training-course >>> https://www.feistyduck.com/books/modsecurity-handbook/ >>> mailto:chr...@ne... >>> twitter: @ChrFolini >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >> > >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > -- > https://www.feistyduck.com/training/modsecurity-training-course > https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:chr...@ne... > twitter: @ChrFolini > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
