|
From: Christian F. <chr...@ne...> - 2018-04-06 19:18:44
|
Eirik, I'm afraid, that is likely the case. If it would only be a single rule, I'd avise you to drop that rule. But given you want to disable whole classes of rules and you have tried out multiple alternative paths, I do not see any way around this anymore. The root cause is probably that you use the parameter in a case-insensitive way and ModSec is very pedantic with parameter names - as it should be actually. Sorry for the bad news, Christian On Fri, Apr 06, 2018 at 09:07:42PM +0200, Eirik Øverby - ModSecurity wrote: > Hi, > > And there is no way I can achieve the same in some other way than repeating the ctl: action as many times as there are ways to spell the parameter name? > > I tried feeding it regex there (as it does allow regex in the SecRule itself), didn't work of course. I'd rather not disable all processing for all parameters.. > > /Eirik > > > On 6 Apr 2018, at 14:55, Christian Folini <chr...@ne...> wrote: > > > > Yes, too bad. That would have been an elegant solution. > > > > The coverage for macro expansion has always been punctual in ModSecurity. > > I wish it was consistent and universal. > > > > See https://github.com/SpiderLabs/ModSecurity/issues/1725 > > for another example. > > > > Ahoj, > > > > Christian > > > > On Fri, Apr 06, 2018 at 02:45:43PM +0200, Eirik Øverby - ModSecurity wrote: > >> Hi, > >> > >> I'm on 3.0.2 with nginx - and I get this from modsec-rules-check: > >> Expecting an action, got: %{MATCHED_VAR_NAME},\ > >> > >> I think the above is enough to see that it doesn't work :) > >> > >> /Eirik > >> > >>> On 6 Apr 2018, at 14:40, Christian Folini <chr...@ne...> wrote: > >>> > >>> Hey Eirik, > >>> > >>> If it works, it would be "...attack-sqli;%{MATCHED_VAR_NAME}". I doubt this > >>> works, but I have been proved wrong on Monday night with a similar question, > >>> so don't trust me too much. > >>> > >>> ModSec2.9 is quite talkative on DebugLogLevel 9, so you should be able to > >>> tell if it worked based on the logfile. > >>> > >>> Ahoj, > >>> > >>> Christian > >>> > >>> > >>> On Fri, Apr 06, 2018 at 02:28:09PM +0200, Eirik Øverby - ModSecurity wrote: > >>>> Hi again, > >>>> > >>>>> On 5 Apr 2018, at 21:19, Eirik Øverby - ModSecurity <ltn...@an...> wrote: > >>>>>> SecRule REQUEST_URI "@beginsWith /mdpayacs/pareq" \ > >>>>>> "phase:1,id:1003,t:none,pass,nolog,chain,\ > >>>>>> ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:TermURL,\ > >>>>>> ctl:ruleRemoveTargetByTag=attack-rce;ARGS:TermURL,\ > >>>>>> ctl:ruleRemoveTargetByTag=attack-xss;ARGS:TermURL" > >>>>>> SecRule ARGS:TermURL "@beginsWith http" "t:none" > >>>>> > >>>>> before anyone comments - yes, I modified this to say phase:2 - does not make any difference.. > >>>> > >>>> The error, as it turned out, was that mod_security matches argument names in a case-sesnitive fashion, but our application does not. The TermURL parameter is sent to us from many different sources, with various degrees of CamelCasing and CAPItaliSation. > >>>> > >>>> Question: Can I use e.g. MATCHED_VAR_NAME as argument to ruleRemoteTargetBy*? For example > >>>> SecRule ARGS:/[Vv][Aa][Rr]/ "foo" "...... ctl:ruleRemoveTargetByTag=attack-sqli;MATCHED_VAR_NAME" > >>>> > >>>> I have tried this, with no success so far - also with ARGS: prefix to MATCHED_VAR_NAME. I've also tried to use it in a chained rule. > >>>> > >>>> /Eirik > >>>> ------------------------------------------------------------------------------ > >>>> Check out the vibrant tech community on one of the world's most > >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >>>> _______________________________________________ > >>>> mod-security-users mailing list > >>>> mod...@li... > >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >>>> http://www.modsecurity.org/projects/commercial/rules/ > >>>> http://www.modsecurity.org/projects/commercial/support/ > >>> > >>> -- > >>> https://www.feistyduck.com/training/modsecurity-training-course > >>> https://www.feistyduck.com/books/modsecurity-handbook/ > >>> mailto:chr...@ne... > >>> twitter: @ChrFolini > >>> > >>> ------------------------------------------------------------------------------ > >>> Check out the vibrant tech community on one of the world's most > >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >>> _______________________________________________ > >>> mod-security-users mailing list > >>> mod...@li... > >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >>> http://www.modsecurity.org/projects/commercial/rules/ > >>> http://www.modsecurity.org/projects/commercial/support/ > >> > > > >> ------------------------------------------------------------------------------ > >> Check out the vibrant tech community on one of the world's most > >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > >> _______________________________________________ > >> mod-security-users mailing list > >> mod...@li... > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >> http://www.modsecurity.org/projects/commercial/rules/ > >> http://www.modsecurity.org/projects/commercial/support/ > > > > > > -- > > https://www.feistyduck.com/training/modsecurity-training-course > > https://www.feistyduck.com/books/modsecurity-handbook/ > > mailto:chr...@ne... > > twitter: @ChrFolini > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
