Re: [mod-security-users] Trouble excluding params with ARGS_NAMES
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Trouble excluding params with ARGS_NAMES
|
From: Christian F. <chr...@ne...> - 2020-09-04 15:47:04
|
Hey Jamie, On Fri, Sep 04, 2020 at 02:19:07PM +0100, Jamie Burchell wrote: > Thanks for the prompt and detailed response, as always. Glad to help. :) > I think in this case I do actually required a non-anchored regex, as the > application(s) I am protecting use, for example: "new_password", > "confirm_password", "old_password". If it's an open list, then that's pretty much a necessity, I guess. > I'm still not really sure why matching against the parameter name (i.e. > ARGS_NAMES) does not achieve the same thing, since it's the name I'm > interested in and not the value of the parameter. However, it sounds like > I'm doing the "right" thing by checking ARGS instead. Let me put it that way: ARGS is a list of boxes with content (= payloads / values) ARGS_NAMES is a sheet of paper with names. It bears no meaning beyond the words / names listed on the sheet. >From a conceptual level, it could be implemented differently, but that's the way it works in ModSecurity. Given my background, I also see paralells in the medieval problem of universals. If you have time at hand, you may want to check out https://en.wikipedia.org/wiki/Problem_of_universals; namely the section of medieval nominalism. :) Cheers, Christian > > Kind regards, > > Jamie > > -----Original Message----- > From: Christian Folini <chr...@ne...> > Sent: 04 September 2020 14:10 > To: mod...@li... > Subject: Re: [mod-security-users] Trouble excluding params with ARGS_NAMES > > Hey Jamie, > > This is a new question and it is also a jolly good question as it made my > think about my assumptions and how people think and how ModSec behaves. > > There are two problems here. > > The interesting one: > > ARGS is a collection of all parameters. Simply speaking, a parameter > consists of a parameter name and a parameter value. A parameter is > addressed by its parameter name. > > ARGS_NAMES is a collection of parameter names. There are no parameter > values here. Only parameter names. > > You could think of a collection ARGS_VALUES to complement the set. But > that does actually not exist in ModSecurity. > > So if you want to suppress the execution of one or multiple rules against > one or multiple parameters, you typically use ARGS and not ARGS_NAMES. > > The form ARGS_NAMES:/password/ can be used to count occurrences of > parameter names that match the regex, but it can actually be substituted > with ARGS:/password/. ( -> &ARGS:/password/). Otherwise I do not see many > uses of the ARGS_NAMES:xxx form. > > The more mundane problem: > > You use a regex to match the parameter name when you actually want an > individual parameter. You could fix this by anchoring your regex as in > ARGS:/^password$/, but you do not even need a regex in the first place, > since the following is the simpler and preferred way of doing this: > > SecRuleUpdateTargetById 920000-943999 "!ARGS:password" > > Nice way of using rule ranges to disable CRS for all incoming requests. > Please note that CRS comes with a new rules in the 944xxx range. > > Cheers, > > Christian > > > > On Thu, Sep 03, 2020 at 08:53:34PM +0100, Jamie Burchell wrote: > > Hi there > > > > For reasons that are totally escaping me, I can't get the below > exclusion rule to work: > > > > SecRuleUpdateTargetById 920000-943999 "!ARGS_NAMES:/password/" > > > > However, using this rule does work: > > > > SecRuleUpdateTargetById 920000-943999 "!ARGS:/password/" > > > > I had thought that the first version of this rule would exclude any > parameter containing the word "password", but it does not seem to be > working. The second version of the rule does work, but presumably will > also match on any parameter value containing the word "password", which > isn't really what I wanted. What am I doing wrong? > > > > Thanks in advance > > Jamie > > > > mod_security: 2.9.2 > > CRS: 3.3.0 > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
