Re: [mod-security-users] rules error simply by changing regex
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] rules error simply by changing regex
|
From: Christian F. <chr...@ne...> - 2018-08-17 04:01:18
|
Hello Gregory, Varying cookie names are painful. I'm afraid you will have to remove them all since regexes are not supported on SecRuleUpdateTargetById and ctl:ruleRemoveTargetById. At least when I last checked. This also explains the error even if the message could be a more readable. Ahoj, Christian On Thu, Aug 16, 2018 at 06:35:59PM -0700, Gregory LeFevre wrote: > Hi, > > I'm testing modsecurity 3.0.2 with the OWASP CRS 3.0.2 with nginx on a dev > server. > > I'm trying to exclude inspection of particular cookies by various rules. > I'm trying to match the cookie names with regular expressions because the > cookie names may vary. > > I don't want to have a rule ignore all cookies. > > I have not had success with SecRuleUpdateTargetById. For example, these > didn't seem to work (the rules still trigger): > > SecRuleUpdateTargetById 921151 "!REQUEST_COOKIES_NAMES:/mixpanel$/" > SecRuleUpdateTargetById 921151 "!REQUEST_COOKIES_NAMES:/^_hp2_/" > > So I was trying SecAction, e.g.: > > SecAction > "id:201,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetById=921151;REQUEST_COOKIES_NAMES:/mixpanel$/" > SecAction > "id:301,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetById=921151;REQUEST_COOKIES_NAMES:/^_hp2_/" > > The first SecAction (mixpanel) is apparently accepted but the second > SecAction (_hp2_) gives a rule error upon nginx startup: > > Aug 17 01:06:02 devserver.example.com nginx[19370]: 2018/08/17 01:06:02 > [emerg] 19370#0: "modsecurity_rules_file" directive Rules error. File: > /path_to/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf. > Line: 98. Column: 108. Expecting an action, got: ^_hp2_/" in > /path_to/nginx.conf:138 > > Aug 17 01:06:02 devserver.example.com nginx-cl[19362]: Starting nginx: > nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: > /path_to/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf. > Line: 98. Column: 108. Expecting an action, got: ^_hp2_/" in > /path_to/nginx.conf:138 > > Would anyone have an idea why a rules error would trigger only from a > regular expression change (the only apparent difference between the rules > other than the rule id)? > > Thank you, > > Gregory > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
