Re: [mod-security-users] Syntax error for rule by trustwave
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Syntax error for rule by trustwave
|
From: homesh j. <ho...@gm...> - 2019-10-09 12:05:37
|
Hi,
Now when I am testing the rule against the website I think the first rule
is not getting triggered.
SecRule RESPONSE_HEADERS:/Set-Cookie2?/
"(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)"
"chain,phase:3,id:'881064',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:'
tx.ua=%{request_headers.user-agent}' "
SecRule UNIQUE_ID "(.*)"
"t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}"
This should trigger as the response header set-cookie is present in the
response with PHPSESSID
e.g
A: homesh$ curl -k -i https://somesite.abcd.in 2>&1 | grep Set-Cookie
Set-Cookie: PHPSESSID=f26b72756916f074ab798270327d2c99; path=/
Not sure why it is not working. I don't see second rule injecting the JS
and I think it is because first rule is not getting triggered which should
capture "setsid"
Please help.
Thanks,
Homesh
On Tue, Oct 1, 2019 at 8:13 PM Ervin Hegedüs <ai...@gm...> wrote:
> Hi Homesh,
>
>
> On Tue, Oct 01, 2019 at 07:29:53PM +0530, homesh joshi wrote:
> >
> > here is is the final thing that worked for me. Now I am testing the rule
> > for various conditions.
>
> good to see,
>
> > #Step1
> > ## This rule will identify the outbound Set-Cookie SessionID data and
> capture it in a setsid#
> > SecRule RESPONSE_HEADERS:/Set-Cookie2?/ >
> "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid).*?=([^\s].*?)\;\s?)"
> "chain,phase:3,id:'881062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:
> tx.ua=%{request_headers.user-agent}"
>
> just my 2 cents: you would better to use the actions that you
> quote its arguments, eg:
>
> setvar:'tx.ua=%{request_headers.user-agent}'
>
> It's not mandatory, but more clear.
>
>
>
> a.
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
