|
From: Christian F. <chr...@ne...> - 2020-01-17 06:58:10
|
Hello Homesh,
The regex looks like Atomicorp rule 340029. Making the semicolon mandatory
was a decision by the person writing the rule. Maybe done in order to avoid
some false positives. Have you tried asking Atomicorp / gotRoot support?
Best,
Christian
On Fri, Jan 17, 2020 at 12:12:11PM +0530, homesh joshi wrote:
> Hi All,
>
> I am referring to below Rule
>
> SecRule
> REQUEST_URI|ARGS|!ARGS:fileContent|!ARGS:/_edit_/|!ARGS:/details/|!ARGS:/block_value/|!ARGS:/News/|!ARGS:/products_/|!ARGS:/article/|!ARGS:/template/|!ARGS:editor1|!ARGS:prefix|!ARGS:suffix|!ARGS:/info/|!ARGS:payment_extrainfo|!ARGS:file|!ARGS:thecode|!ARGS:/chat/|!ARGS:snippet|!ARGS:/phpcode/|!ARGS:intro|!ARGS:/title/|!ARGS:/data_parent/|!ARGS:code|!ARGS:lajmi|!ARGS:/content/|!ARGS:/desc/|!ARGS:/hilit/|!ARGS:/hilight/|!ARGS:/highlight/|!ARGS:/body/|!ARGS:/post/|!ARGS:/txt|!ARGS:/content/|!ARGS:/keyword/|!ARGS:/summary/|!ARGS:/note/|!ARGS:/solution/|!ARGS:/msg/|!ARGS:/highlight/|!ARGS:/text/|!ARGS:/subject/|!ARGS:/message/|!ARGS:/post/|!ARGS:/resolution/|!ARGS:/problem/
> "(?:;|/|\|
> )(?:\b(?:cat|ls|perl|uname|pwd|cp|tclsh8?|cpp|f(?:etch|tp)|python|chown|rm|ping|rsync|rdiff-backup|scp|wget|curl|links|g\+\+|ch(?:grp|own)|passwd|r?(?:b|d)ash|t?c?sh|telnet|clang|nc)\b
> |\b(?:sleep|benchmark)\b \(? ?[0-9]|powershell -w|\bkill(?:
> (?:[0-9]|-)|all\ ))" \
>
> "log,auditlog,phase:2,deny,log,status:403,capture,id:5001,t:none,t:utf8toUnicode,t:urlDecodeUni,t:replaceNulls,t:cmdLine,rev:32,severity:2,msg:'Others',tag:'Attack
> Blocked - command in REQUEST_URI or Argument',logdata:'%{TX.0}'"
>
> Rule is getting trigger for following URL
>
> http://www.example.com/ls;
>
> And rule is not getting triggered for following URL
>
> http://www.example.com/ls
>
> looking at following regex from rule on regex101.com I don' t understand
> why at the end ";" is required to trigger the rule.
> (?:;|/|\|
> )(?:\b(?:cat|ls|perl|uname|pwd|cp|tclsh8?|cpp|f(?:etch|tp)|python|chown|rm|ping|rsync|rdiff-backup|scp|wget|curl|links|g\+\+|ch(?:grp|own)|passwd|r?(?:b|d)ash|t?c?sh|telnet|clang|nc)\b
> |\b(?:sleep|benchmark)\b \(? ?[0-9]|powershell -w|\bkill(?:
> (?:[0-9]|-)|all\ ))" \
>
> Thanks,
> Homesh
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
