[mod-security-users] rules error simply by changing regex
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] rules error simply by changing regex
|
From: Gregory L. <gr...@cl...> - 2018-08-17 02:01:18
|
Hi, I'm testing modsecurity 3.0.2 with the OWASP CRS 3.0.2 with nginx on a dev server. I'm trying to exclude inspection of particular cookies by various rules. I'm trying to match the cookie names with regular expressions because the cookie names may vary. I don't want to have a rule ignore all cookies. I have not had success with SecRuleUpdateTargetById. For example, these didn't seem to work (the rules still trigger): SecRuleUpdateTargetById 921151 "!REQUEST_COOKIES_NAMES:/mixpanel$/" SecRuleUpdateTargetById 921151 "!REQUEST_COOKIES_NAMES:/^_hp2_/" So I was trying SecAction, e.g.: SecAction "id:201,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetById=921151;REQUEST_COOKIES_NAMES:/mixpanel$/" SecAction "id:301,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetById=921151;REQUEST_COOKIES_NAMES:/^_hp2_/" The first SecAction (mixpanel) is apparently accepted but the second SecAction (_hp2_) gives a rule error upon nginx startup: Aug 17 01:06:02 devserver.example.com nginx[19370]: 2018/08/17 01:06:02 [emerg] 19370#0: "modsecurity_rules_file" directive Rules error. File: /path_to/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf. Line: 98. Column: 108. Expecting an action, got: ^_hp2_/" in /path_to/nginx.conf:138 Aug 17 01:06:02 devserver.example.com nginx-cl[19362]: Starting nginx: nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /path_to/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf. Line: 98. Column: 108. Expecting an action, got: ^_hp2_/" in /path_to/nginx.conf:138 Would anyone have an idea why a rules error would trigger only from a regular expression change (the only apparent difference between the rules other than the rule id)? Thank you, Gregory |
