[Mod-security-developers] 回复： 回复： 回复： rule 921170

[<877...@qq...>]

OK, let me checkout my platform.


------------------ 原始邮件 ------------------
发件人:                                                                                                                        "Christian Folini"                                                                                    <chr...@ne...&gt;;
发送时间:&nbsp;2022年2月23日(星期三) 下午4:38
收件人:&nbsp;"huiming"<877...@qq...&gt;;
抄送:&nbsp;"huiming via mod-security-developers"<mod...@li...&gt;;
主题:&nbsp;Re: 回复：[Mod-security-developers] 回复：  rule 921170



On Wed, Feb 23, 2022 at 04:31:15PM +0800, huiming wrote:
&gt; MATCHED_VAR_NAME&amp;nbsp;should be changed to&amp;nbsp;MATCHED_VAR.&amp;nbsp;

No, MATCHED_VAR is the value of the variable, while MATCHED_VAR_NAME is the
key. So MATCHED_VAR is 3 and then 6, while MATCHED_VAR_NAME is ab in both
cases.

&gt; will send a log after a while.

Please do.

Cheers,

Christian

&gt; 
&gt; 
&gt; 
&gt; 
&gt; 
&gt; 
&gt; ------------------&amp;nbsp;原始邮件&amp;nbsp;------------------
&gt; 发件人:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "mod-security-developers"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <mod...@li...&amp;gt;;
&gt; 发送时间:&amp;nbsp;2022年2月23日(星期三) 下午4:28
&gt; 收件人:&amp;nbsp;"Christian Folini"<chr...@ne...&amp;gt;;"huiming via mod-security-developers"<mod...@li...&amp;gt;;
&gt; 抄送:&amp;nbsp;"huiming"<877...@qq...&amp;gt;;
&gt; 主题:&amp;nbsp;[Mod-security-developers] 回复：&nbsp; rule 921170
&gt; 
&gt; 
&gt; 
&gt; but MATCHED_VAR_NAME is ARGS_NAMES, not ab. so I will not work as expected.
&gt; 
&gt; 
&gt; 
&gt; 
&gt; ------------------ 原始邮件 ------------------
&gt; 发件人:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Christian Folini"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <chr...@ne...&amp;gt;;
&gt; 发送时间:&amp;nbsp;2022年2月23日(星期三) 下午4:25
&gt; 收件人:&amp;nbsp;"huiming via mod-security-developers"<mod...@li...&amp;gt;;
&gt; 抄送:&amp;nbsp;"huiming"<877...@qq...&amp;gt;;
&gt; 主题:&amp;nbsp;Re: [Mod-security-developers] rule 921170
&gt; 
&gt; 
&gt; 
&gt; Hey Huiming,
&gt; 
&gt; Please be aware this is the ModSecurity mailing list and your question refers
&gt; to the Core Rule Set, which has its own mailing list.
&gt; 
&gt; But no problem, I'll respond here.
&gt; 
&gt; A request parameter xxx with value yyy is added to two collection in
&gt; ModSecurity.
&gt; 
&gt; * ARGS_NAMES will get an item xxx
&gt; * ARGS will get an item yyy
&gt; 
&gt; A duplicate parameter means that a given parameter (ab in your baidu example)
&gt; has been submitted multiple times in a request.
&gt; 
&gt; So ARGS_NAMES would carry ab twice for the example. Like [ "ab", "ab" ].
&gt; 
&gt; Now rule 921170 iterates over ARGS_NAMES and creates a variable
&gt; TX.paramcounter_ab. This is set to 1 for the first occurrence of ab, and then
&gt; to 2 with the 2nd occurrence.
&gt; 
&gt; So TX.paramcounter_ab is 2 after 921170.
&gt; 
&gt; 921180 will then check whether any of these paramcounters is greater than one.
&gt; The ab paramcounter is, thus the rule 921180 is triggered.
&gt; 
&gt; This is a PL3 rule. Thus a very sensitive rule that brings quite a few false
&gt; positives on certain applications. Issuing a parameter multiple times in a
&gt; request is no problem per se and perfectly valid for a web application. But it
&gt; is also a technique of attackers. So if a service makes use of multiple
&gt; submission of the same parameter in a given request, you need to fix the false
&gt; positive with a rule exclusion.
&gt; 
&gt; This is a special case since you can not simply remove ab from 921180. Instead
&gt; you need to do the following:
&gt; 
&gt; # ModSec Rule Exclusion: 921180 : HTTP Parameter Pollution (ARGS_NAMES:ab)
&gt; SecRuleUpdateTargetById 921180 "!TX:paramcounter_ARGS_NAMES:ab"
&gt; 
&gt; Hope this helps!
&gt; 
&gt; Christian
&gt; 
&gt; 
&gt; 
&gt; 
&gt; 
&gt; 
&gt; On Wed, Feb 23, 2022 at 04:09:10PM +0800, huiming via mod-security-developers
&gt; wrote:
&gt; &amp;gt; hi,
&gt; &amp;gt; 
&gt; &amp;gt; 
&gt; &amp;gt; SecRule ARGS_NAMES "@rx ." \ &amp;amp;nbsp; &amp;amp;nbsp; "id:921170,\ &amp;amp;nbsp; &amp;amp;nbsp;
&gt; &amp;gt; phase:2,\ &amp;amp;nbsp; &amp;amp;nbsp; pass,\ &amp;amp;nbsp; &amp;amp;nbsp; nolog,\ &amp;amp;nbsp; &amp;amp;nbsp;
&gt; &amp;gt; tag:'application-multi',\ &amp;amp;nbsp; &amp;amp;nbsp; tag:'language-multi',\ &amp;amp;nbsp; &amp;amp;nbsp;
&gt; &amp;gt; tag:'platform-multi',\ &amp;amp;nbsp; &amp;amp;nbsp; tag:'attack-protocol',\ &amp;amp;nbsp; &amp;amp;nbsp;
&gt; &amp;gt; tag:'paranoia-level/3',\ &amp;amp;nbsp; &amp;amp;nbsp; tag:'OWASP_CRS',\ &amp;amp;nbsp; &amp;amp;nbsp;
&gt; &amp;gt; tag:'capec/1000/152/137/15/460',\ &amp;amp;nbsp; &amp;amp;nbsp; ver:'OWASP_CRS/3.4.0-dev',\
&gt; &amp;gt; &amp;amp;nbsp; &amp;amp;nbsp; setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
&gt; &amp;gt; 
&gt; &amp;gt; 
&gt; &amp;gt; 
&gt; &amp;gt; The rule generate only one variable named&amp;amp;nbsp; TX.paramcount_ARGS_NAMES,
&gt; &amp;gt; and assigned the count item in&amp;amp;nbsp; ARGS_NAMES.&amp;amp;nbsp; but this should not
&gt; &amp;gt; be the target I think. because the target is to find duplicate parameters.
&gt; &amp;gt; It should generate a different variable named TX.paramcount_xxx for every
&gt; &amp;gt; variable name,&amp;amp;nbsp; xxx is the variable name.&amp;nbsp; The value is
&gt; &amp;gt; TX.paramcount_xxx is the count of xxx in ARGS_NAMES.&amp;amp;nbsp; &amp;amp;nbsp;same
&gt; &amp;gt; variable name can exist&amp;amp;nbsp; in ARGS_NAMES multiple times. for example
&gt; &amp;gt; http://www.baidu.com?ab=3&amp;amp;amp;ab=6
&gt; &amp;gt; 
&gt; &amp;gt; 
&gt; &amp;gt; my understanding is wrong?
&gt; &amp;gt; 
&gt; &amp;gt; 
&gt; &amp;gt; huiming thanks
&gt; 
&gt; 
&gt; &amp;gt; _______________________________________________
&gt; &amp;gt; mod-security-developers mailing list
&gt; &amp;gt; mod...@li...
&gt; &amp;gt; https://lists.sourceforge.net/lists/listinfo/mod-security-developers
&gt; &amp;gt; ModSecurity Services from Trustwave's SpiderLabs:
&gt; &amp;gt; https://www.trustwave.com/spiderLabs.php