Re: [Mod-security-developers] Macro expansion in operators
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] Macro expansion in operators
|
From: Ervin H. <ai...@gm...> - 2019-02-11 15:52:23
|
hi, On Mon, Feb 11, 2019 at 01:42:46PM +0000, Felipe Costa wrote: > I've got your point. Personally, I don't like this approach as it may be confusing to debug the rules, but I understand your point. Yes, a patch will be welcome 😉 before anybody should start to work on operators, please don't forget, that there is a pending PR related to the validateByteRange operator: https://github.com/SpiderLabs/ModSecurity/pull/2017 :) a. >> Br., > > Felipe "Zimmerle" Costa > > Security Researcher, Lead Developer ModSecurity > > m: +55 81.98706.5547 > > > > [signature_480191669] > > www.trustwave.com<http://www.trustwave.com/> > > > > Recognized by industry analysts as a leader in managed security services.<https://www.trustwave.com/company/about-us/accolades/> > > > ________________________________ > From: Marc Stern <mar...@ap...> > Sent: Thursday, February 7, 2019 6:24 AM > To: mod...@li... > Subject: Re: [Mod-security-developers] Macro expansion in operators > > The main goal is to be able to extend a pattern incrementally. This is especially useful in shared environments, but not limited to this case. > > Example: you define you general policy to accept only certain characters > SecRule ARGS "@validateByteRange 32-90" > > In a location, you want an exception to accept some additional characters (CR/LF): > <Location /...> > SecRule ARGS "@validateByteRange 10,13,32-90" > </Location> > > In case you extend your global policy (let's say 32-95), your exception doesn't follow it. You are obliged to keep them aligned (you'll forget to do this if they are disseminated in several files). > > The solution could be: > SecAction "phase:1,setvar:tx.allowedRange=32-90" > > <Location /...> > SecAction "phase:2,setvar:tx.allowedRange=%{tx.allowedRange},10,13" > </Location> > > SecRule ARGS "@validateByteRange %{tx.allowedRange}" "phase:2,..." > > Same for ipMatch > > Marc > > On 05-02-19 17:54, Felipe Costa wrote: > > Hi Marc, > > > There is no specific reason. As there is a computational cost for macro expansion, we may have it only where/when it is extremely necessary. Do you have a specific use case? > > > Br., > > Felipe "Zimmerle" Costa > > Security Researcher, Lead Developer ModSecurity > > > ________________________________ > From: Marc Stern <mar...@ap...><mailto:mar...@ap...> > Sent: Friday, February 1, 2019 12:16:20 PM > To: mod...@li...<mailto:mod...@li...> > Subject: [Mod-security-developers] Macro expansion in operators > > Can somebody explain me why the operators below don't perform macro > expansion; they're using plain strings, not pre-calculated patterns: > - ipMatch > - validateByteRange > > Would a pull request implementing this be accepted? > > Marc Stern > > _______________________________________________ > mod-security-developers mailing list > mod...@li...<mailto:mod...@li...> > https://scanmail.trustwave.com/?c=4062&d=3bHU3PIPIuUQrzOmOziiUcqWOyJFIV2loAPuiTrUlA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers<https://scanmail.trustwave.com/?c=4062&d=57nc3DspNU5aOwZsU4--G33vqxJuRzh_IAF3WDNkmw&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers> > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php |
