Re: [mod-security-users] Advanced filtering

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Katsuharu Watanabe wrote:
> Hi all,
> 
> I have some trouble.
> 
>  (1) I want to block some meta-characters on request paramaters except that named test1, but I can't filter "&" and "=" well.
> 
>  --- My configuration ---
>  SecFilterSelective "ARGS_NAMES|ARGS_VALUES|!ARG_test1" "[&]" deny,log
>  SecFilterSelective "ARGS_NAMES|ARGS_VALUES|!ARG_test1" "[=]" deny,log
> 
>  In detail, when the request have a paramater only test1, it's work fine. But the paramaters are more, any requests are blocked. For example, I access bellow URL.
> 
>   http://www.example.com/index.html?test1=111&test2=222&test3=333
> 
>  This case is checking against "test2=222&test3=333". (found this from debug-log.)
>  I want to evaluate "222" and "333", but I have no idea.

    That's not possible at the moment. However, it makes sense and I'll
    make it possible in 1.9. (The "!ARG_xyz" syntax only works with
    "ARGS" at the moment.)


>  (2) How do SecFilterSelective's location match the whole request including headers?
> 
>  That's maybe,
> 
>   SecFilterSelective "THE_REQUEST|POST_PAYLOAD|HTTP_Host|HTTP_User-Agent|(...more and more headers context)" foo deny,log
> 
>  But this is very hard... I want more easy and simple configuration like Output filter,
> 
>    SecFilterSelective INPUT foo deny,log
> 
>  What do you think?

    In 1.9 it's:

    SecFilterSelective THE_REQUEST|POST_PAYLOAD|HEADERS foo deny,log

    I can add EVERYWHERE to make it even simpler :)

    Although do note OUTPUT only covers the response body at this time.
    It doesn't include the response headers.

-- 
Ivan Ristic (http://www.modsecurity.org)