Re: [mod-security-users] Syntax error for rule by trustwave
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Syntax error for rule by trustwave
|
From: homesh j. <ho...@gm...> - 2019-10-01 14:00:14
|
Hi Ervin,
Thanks a lot. Now I am clear on the use of \ and chain.
here is is the final thing that worked for me. Now I am testing the rule
for various conditions.
#Step1
## This rule will identify the outbound Set-Cookie SessionID data and
capture it in a setsid#
SecRule RESPONSE_HEADERS:/Set-Cookie2?/
"(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)"
"chain,phase:3,id:'881062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:
tx.ua=%{request_headers.user-agent}"
SecRule UNIQUE_ID "(.*)"
"t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}"
#Step 2
SecContentInjection On
SecStreamOutBodyInspection On
SecResponseBodyAccess On
SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none,pass"
SecRule RESPONSE_HEADERS:Content-Type "@beginsWith text/html"
"chain,t:none,nolog"
SecRule &SESSION:KEY "@eq 1" "chain"
SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/<script
type=\"text\/javascript\"
src=\"https\:\/\/www.abc123.com\/client.min.js\"><\/script>|0A|<\/body>/"
"capture,setvar:session.fingerprint_code_sent=1"
#Step 3
## -=[ Save the initial Browser Fingerprint Hash in the Session Collection
]=-#
SecRule &SESSION:BROWSER_HASH "@eq 0"
"chain,id:'881803',phase:1,t:none,nolog,pass"
SecRule REQUEST_COOKIES:BROWSER_HASH ".*"
"setvar:session.browser_hash=%{matched_var}"
#Step 4
## -=[ If Browser Fingerprint JS was sent previously, then enforce the #
existence of the browser_hash Cookie field. ]=-#
SecRule SESSION:FINGERPRINT_CODE_SENT "@eq 1"
"chain,id:'881804',phase:1,t:none,block,msg:'Warning: Browser Fingering
Cookie Missing.'"
SecRule &REQUEST_COOKIES:BROWSER_HASH "@eq 0"
SecRule SESSION:FINGERPRINT_CODE_SENT "@eq 1"
"chain,id:'881805',phase:1,t:none,block,msg:'Warning: Browser Fingering
Cookie Mismatch.',logdata:'Expected Browser Fingerprint:
%{session.browser_hash}. Browser Fingerprint Received:
%{request_cookies.browser_hash}'"
SecRule &REQUEST_COOKIES:BROWSER_HASH "@eq 1" "chain"
SecRule REQUEST_COOKIES:BROWSER_HASH "!@streq %{session.browser_hash}"
Thanks,
Homesh
On Tue, Oct 1, 2019 at 2:24 PM Ervin Hegedüs <ai...@gm...> wrote:
> Hi Homesh,
>
> On Tue, Oct 01, 2019 at 01:16:31PM +0530, homesh joshi wrote:
>
> > AH00526: Syntax error on line 13 of /etc/modsecurity/1234.conf:
> > SecRule takes two or three arguments, rule target, operator and optional
> > action list
> > Action 'configtest' failed.
> >
> > Line # 13 is
> > SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none" \
>
> yes, this is invalid. The "\" (backslash) char used to indicate to
> parser that the next line is part of the current. So, if you want
> to continue the list of actions, then it need, elsewhere you
> _can_not_ to place that.
>
> As I see your config, the next token is a new "SecRule" option,
> therefore this isn't the continuation of the previous line.
>
> May be you might be confused with the 'chain' action, which means
> "the next SecRule entity is a continuation of this", but that's
> totally different, than the backslash at the EOL.
>
> so, your rules:
>
> > SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none" \
> > SecRule RESPONSE_HEADERS:Content-Type "@beginsWith text/html"
> "chain,id:'881802',t:none,nolog,pass" \
> > SecRule &SESSION:KEY "@eq 1" "chain"
> > SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/<script
> type=\"text\/javascript\" src=\"https\:\/\/www.abcd1234.COM\/client.min.js\"><\/script>|0A|<\/body>/"
> "capture,setvar:session.fingerprint_code_sent=1"
>
> in the right form:
>
> > SecRule RESPONSE_STATUS "200" "chain,id:'881802',t:none"
> > SecRule RESPONSE_HEADERS:Content-Type "@beginsWith text/html"
> "chain,t:none,nolog,pass"
> > SecRule &SESSION:KEY "@eq 1" "chain"
> > SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/<script
> type=\"text\/javascript\" src=\"https\:\/\/www.abcd1234.COM\/client.min.js\"><\/script>|0A|<\/body>/"
> "capture,setvar:session.fingerprint_code_sent=1"
>
> also note, that you don't need to put the "id" with same value to
> the chained rule - I removed it.
>
>
>
> Hope this helps,
>
>
>
> a.
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
