[Mod-security-developers] 回复: 回复: 回复: rule 921170
Brought to you by:
victorhora,
zimmerletw
From: <877...@qq...> - 2022-02-23 08:45:28
|
OK, let me checkout my platform. ------------------ 原始邮件 ------------------ 发件人: "Christian Folini" <chr...@ne...>; 发送时间: 2022年2月23日(星期三) 下午4:38 收件人: "huiming"<877...@qq...>; 抄送: "huiming via mod-security-developers"<mod...@li...>; 主题: Re: 回复:[Mod-security-developers] 回复: rule 921170 On Wed, Feb 23, 2022 at 04:31:15PM +0800, huiming wrote: > MATCHED_VAR_NAME&nbsp;should be changed to&nbsp;MATCHED_VAR.&nbsp; No, MATCHED_VAR is the value of the variable, while MATCHED_VAR_NAME is the key. So MATCHED_VAR is 3 and then 6, while MATCHED_VAR_NAME is ab in both cases. > will send a log after a while. Please do. Cheers, Christian > > > > > > > ------------------&nbsp;原始邮件&nbsp;------------------ > 发件人: "mod-security-developers" <mod...@li...&gt;; > 发送时间:&nbsp;2022年2月23日(星期三) 下午4:28 > 收件人:&nbsp;"Christian Folini"<chr...@ne...&gt;;"huiming via mod-security-developers"<mod...@li...&gt;; > 抄送:&nbsp;"huiming"<877...@qq...&gt;; > 主题:&nbsp;[Mod-security-developers] 回复: rule 921170 > > > > but MATCHED_VAR_NAME is ARGS_NAMES, not ab. so I will not work as expected. > > > > > ------------------ 原始邮件 ------------------ > 发件人: "Christian Folini" <chr...@ne...&gt;; > 发送时间:&nbsp;2022年2月23日(星期三) 下午4:25 > 收件人:&nbsp;"huiming via mod-security-developers"<mod...@li...&gt;; > 抄送:&nbsp;"huiming"<877...@qq...&gt;; > 主题:&nbsp;Re: [Mod-security-developers] rule 921170 > > > > Hey Huiming, > > Please be aware this is the ModSecurity mailing list and your question refers > to the Core Rule Set, which has its own mailing list. > > But no problem, I'll respond here. > > A request parameter xxx with value yyy is added to two collection in > ModSecurity. > > * ARGS_NAMES will get an item xxx > * ARGS will get an item yyy > > A duplicate parameter means that a given parameter (ab in your baidu example) > has been submitted multiple times in a request. > > So ARGS_NAMES would carry ab twice for the example. Like [ "ab", "ab" ]. > > Now rule 921170 iterates over ARGS_NAMES and creates a variable > TX.paramcounter_ab. This is set to 1 for the first occurrence of ab, and then > to 2 with the 2nd occurrence. > > So TX.paramcounter_ab is 2 after 921170. > > 921180 will then check whether any of these paramcounters is greater than one. > The ab paramcounter is, thus the rule 921180 is triggered. > > This is a PL3 rule. Thus a very sensitive rule that brings quite a few false > positives on certain applications. Issuing a parameter multiple times in a > request is no problem per se and perfectly valid for a web application. But it > is also a technique of attackers. So if a service makes use of multiple > submission of the same parameter in a given request, you need to fix the false > positive with a rule exclusion. > > This is a special case since you can not simply remove ab from 921180. Instead > you need to do the following: > > # ModSec Rule Exclusion: 921180 : HTTP Parameter Pollution (ARGS_NAMES:ab) > SecRuleUpdateTargetById 921180 "!TX:paramcounter_ARGS_NAMES:ab" > > Hope this helps! > > Christian > > > > > > > On Wed, Feb 23, 2022 at 04:09:10PM +0800, huiming via mod-security-developers > wrote: > &gt; hi, > &gt; > &gt; > &gt; SecRule ARGS_NAMES "@rx ." \ &amp;nbsp; &amp;nbsp; "id:921170,\ &amp;nbsp; &amp;nbsp; > &gt; phase:2,\ &amp;nbsp; &amp;nbsp; pass,\ &amp;nbsp; &amp;nbsp; nolog,\ &amp;nbsp; &amp;nbsp; > &gt; tag:'application-multi',\ &amp;nbsp; &amp;nbsp; tag:'language-multi',\ &amp;nbsp; &amp;nbsp; > &gt; tag:'platform-multi',\ &amp;nbsp; &amp;nbsp; tag:'attack-protocol',\ &amp;nbsp; &amp;nbsp; > &gt; tag:'paranoia-level/3',\ &amp;nbsp; &amp;nbsp; tag:'OWASP_CRS',\ &amp;nbsp; &amp;nbsp; > &gt; tag:'capec/1000/152/137/15/460',\ &amp;nbsp; &amp;nbsp; ver:'OWASP_CRS/3.4.0-dev',\ > &gt; &amp;nbsp; &amp;nbsp; setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" > &gt; > &gt; > &gt; > &gt; The rule generate only one variable named&amp;nbsp; TX.paramcount_ARGS_NAMES, > &gt; and assigned the count item in&amp;nbsp; ARGS_NAMES.&amp;nbsp; but this should not > &gt; be the target I think. because the target is to find duplicate parameters. > &gt; It should generate a different variable named TX.paramcount_xxx for every > &gt; variable name,&amp;nbsp; xxx is the variable name.&nbsp; The value is > &gt; TX.paramcount_xxx is the count of xxx in ARGS_NAMES.&amp;nbsp; &amp;nbsp;same > &gt; variable name can exist&amp;nbsp; in ARGS_NAMES multiple times. for example > &gt; http://www.baidu.com?ab=3&amp;amp;ab=6 > &gt; > &gt; > &gt; my understanding is wrong? > &gt; > &gt; > &gt; huiming thanks > > > &gt; _______________________________________________ > &gt; mod-security-developers mailing list > &gt; mod...@li... > &gt; https://lists.sourceforge.net/lists/listinfo/mod-security-developers > &gt; ModSecurity Services from Trustwave's SpiderLabs: > &gt; https://www.trustwave.com/spiderLabs.php |