Re: [mod-security-users] THE_REQUEST vs. REQUEST_URI vs. REQUEST_FILE
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] THE_REQUEST vs. REQUEST_URI vs. REQUEST_FILE
|
From: Ivan R. <iv...@we...> - 2005-08-05 15:49:56
|
Sander Holthaus - Orange XL wrote: > I'm trying to implement some custom rules for mod_security, but I'm slightly > confused on what the best and most efficient way is to implement rules. > > Looking at existent rules, there seems to be no real definitive way to match > requests. Is there any? Yes, there can be many solutions to the same problem. In general they can all be equal, provided they work properly. > How do the internals work of mod_security in this > regard? Are all KEYWORDS generated in one pass, or are some keywords > initiated and filtered before others? Keywords are "generated" on demand. Rules are processed in the order they appear in the configuration file. > An example for the same rule: > > # Exploit phpBB Highlighting Code Execution Attempt (v1) > SecFilterSelective REQUEST_FILENAME "/viewtopic\.php$" chain > SecFilterSelective ARG_highlight "(\'\.|\x2527\x252E)" > > # Exploit phpBB Highlighting Code Execution Attempt (v2) > SecFilterSelective REQUEST_URI > "/viewtopic\.php\?.*highlight=(\'\.|\x2527\x252E)" > > # Exploit phpBB Highlighting Code Execution Attempt (v3) > SecFilterSelective THE_REQUEST > "/viewtopic\.php\?.*highlight=(\'\.|\x2527\x252E)" I wouldn't worry too much about it. If you really want you can measure the performance to see if any of the approaches is faster than the others. Personally I don't like to use THE_REQUEST much. I prefer REQUEST_URI, or REQUEST_FILENAME. As an reminder, here's what these variables contain: THE_REQUEST - GET /index.php?x=y REQUEST_URI /index.php?x=y REQUEST_FILENAME - /var/www/htdocs/index.php SCRIPT_FILENAME - /var/www/htdocs/index.php -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
