Re: [mod-security-users] How to log transformed REQUEST_URI/REQUEST_URI_RAW?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] How to log transformed REQUEST_URI/REQUEST_URI_RAW?
|
From: Web C. <we...@we...> - 2021-10-23 16:56:36
|
Dear Azurit
To see what happens while testing I will try that, thank you :)
Does someone know how to print the result uf a transformation function
like: "t:normalizePathWin" in the Message ("msg")?
Is the transformation applied to REQUEST_URI or REQUEST_URI_RAW in the Rule
below?
Greetings,
Webco
<az...@po...> schrieb am Sa., 23. Okt. 2021, 16:57:
> Hi
>
> try enabling debug log in ModSecurity.
>
>
> Citát Web Coach <we...@we...>:
>
> > Hello together :)
> >
> > How can I find the reason why the rule below was triggered? It looks like
> > the audit log does not provide enough information in this case either.
> >
> > %{REQUEST_URI} gives me: /yyyyy.php?site=http://blubb
> > %{REQUEST_URI_RAW} gives me: /yyyyy.php?site=http://blubb
> >
> > I think the transformed REQUEST_URI might be something like
> > "/yyyyy.php?site=http:/blubb" without the double slash. I want to be sure
> > why the rule was triggered and I want to see it black on white for
> > certainty. How would you do it?
> >
> > ModSecurity version: 2.9.4
> > Apache Version: 2.4.48
> >
> > Rule / in httpd.conf
> > ------------------
> > # Make sure there are no URI evasion attempts
> > SecRule REQUEST_URI "!@streq %{REQUEST_URI_RAW}" \
> > "id:11000,phase:1,deny,t:normalizePathWin,log,\
> > msg:'URI evasion attempt REQUEST_URI: %{REQUEST_URI} REQUEST_URI_RAW:
> > %{REQUEST_URI_RAW}'"
> >
> > error.log
> > ------------------
> > [yyyy-mm-dd hh:mm:ss.mmmmmm] [-:error] 127.0.0.1:35220
> > zzzzzzz__zzzzzzzzzzzzzzzzzz [client 127.0.0.1] ModSecurity: Access denied
> > with code 403 (phase 1). Match of "streq %{REQUEST_URI_RAW}" against
> > "REQUEST_URI" required. [file "/opt/apache-2.4.48/conf/httpd.conf"] [line
> > "200"] [id "11000"] [msg "URI evasion attempt REQUEST_URI:
> /yyyyy.php?site=
> > http://blubb REQUEST_URI_RAW: /yyyyy.php?site=http://blubb"] [tag
> > "domain.tld Public"] [hostname "domain.tld"] [uri "/yyyyy.php"]
> [unique_id
> > "zzzzzzz__zzzzzzzzzzzzzzzzzz"]
> >
> > Regards,
> > Webco
>
>
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
