|
From: Andrew H. <and...@lo...> - 2021-01-11 14:48:59
|
Hi, I wanted to follow up with some further investigation into this. Hopefully, these findings may help someone else in a similar scenario in the future. I ended up going through ModSecurity's (2.x) source to confirm how the 'deprecatevar' action works. Looking at re_actions.c confirmed my suspicion: all variables in a given persistent collection are tied to a *single timestamp* (LAST_UPDATE_TIME) for the purposes of calculating their deprecation. This can cause strange behaviour when deprecatevar is used on multiple variables in the same collection. I've written a full explanation about this in a blog post, which can be found here: https://www.loadbalancer.org/blog/modsecurity-and-the-case-of-the-never-decreasing-variables/ I've also written a Lua script which I'm using to work around this issue. The script has been published to GitHub, here: https://github.com/loadbalancer-org/modsec_decrement_script If nothing else, this was a fun opportunity to spend time poking around ModSecurity's source code :) Thanks, Andrew -- Andrew Howe Loadbalancer.org Ltd. www.loadbalancer.org |
