Re: [mod-security-users] Trying to understand regex (help needed)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Am 27.04.2007 um 17:21 schrieb Joakim Schramm:
>>> SecRule &REQUEST_HEADERS:Accept "@eq 0" \
>>>     "chain,skip:2,t:none,status:200,log,auditlog,id:'96014'"
>>> SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:sbider|envolk|speedy
>>> spider|msrbot|kulturarw3)/b)" "chain,t:none, severity:'5'"
>>
>> You might probably want to end this expression with \b instead of /b.
> Ught! I guess that came from the back of my html brain... :-)

I'd recommend to stand up and go for a 5 minute office-walk (coffee,  
cookies,
a little chat) before switching from a html/web-programming-task to  
writing
security rulesets - you never know ;-)

Just kiddin'.

> SecRule &REQUEST_HEADERS:Accept "@eq 0" \
>     "chain,skip:2,t:none,t:lower,status: 
> 200,log,auditlog,msg:'Request has
> Zero Accept Header but OK', severity:'5',id:'90014'"
> SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:sbider|envolk|speedy
> spider|msrbot|kulturarw3)\b)" "chain"
> SecRule REQUEST_METHOD "!OPTIONS"
>
> Now with t:lower in the first part of chain, it will also apply to the
> second were the "names" are right?

I am sorry. The function is called "lowercase", not just "lower". See:

    http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/ 
html-multipage/06-transformation-functions.html#N10E89

You probably might also want to apply things like compressWhitespace.  
Again the
debug-log is a really good source for getting a feeling for  
transformation-stuff.

> Yes I know, robots seldom (if ever) send an Accept-Header though,  
> if they do
> well then they would be less troublesome :-)

Most RSS-Clients do not send one either. I don't know why this  
missing-accept header
is so important - perhaps Ryan can give a little bit on this. As read  
in RFC 2616
(see http://web-sniffer.net/rfc/rfc2616.html#section-14.1 ) an Accept- 
header CAN be
sent, but it doesn't have to.

I got hundreds of warning when running a huge amount of requests  
through the core-rules,
almost all due to a missing Accept-header so I simply removed this  
rule. These were
produced by RSS-clients most of the time. I am just curious why this  
might be worth a
	warning.

> I am just a bit unsure about skip and chain here, the above chained  
> rule, if
> it match it will skip the 2 following rules after the chain, right?  
> And if a
> rule is chained like this one it will count as 1, even if it may  
> have 2
> SecRule directives chained - or?

Yes, that's what I'd expect.

Regards,
    Chris