|
From: Ryan B. <Rya...@Br...> - 2007-07-09 19:06:41
|
=20 ________________________________ From: mod...@li... [mailto:mod...@li...] On Behalf Of Frank Misa Sent: Monday, July 09, 2007 1:19 PM To: mod...@li... Subject: [mod-security-users] SecDefaultAction behavior and per-rule actionssyntax... =20 Hi All, Forgive the newbie questions.... I'm finding the documentation and lack of examples on ACTION syntax quite confusing.... I'd be grateful for any thoughts/links on the following two related questions: Question1 ------------------------------------------------------------------------ --------- Many "actions" can be strung together in comma delimited strings: is there any positional significance in these actions strings or resolution strategy for actions that contradict each other ? [Ryan Barnett] There is no positional significance with the disruptive actions (deny, redirect, pass, allow, etc...) when they are specified on a single rule. The only caveat is that if there are multiple/conflicting disruptive actions then the one that is specified LAST takes precedence. =20 For instance, this rule would allow access - SecRule REQUEST_HEADERS:User-Agent "test" deny,allow While this one would deny access - SecRule REQUEST_HEADERS:User-Agent "test" allow,deny ------------------------------------------------------------------------ --------- For example - here are two rules: >> SecRule REQUEST_HEADERS:User-Agent "Test" allow,nolog >> SecRule REMOTE_ADDR "^192\.168\.1\.100$" auditlog,phase:1,allow The first rule specified action: "allow,nolog" The second rule specified action: "auditlog,phase:1,allow" can the "allow" action appear anywhere in the string ? if a "phase" is not specified - what does it default to ? [Ryan Barnett] If a phase is not specified on the individual rule line, then it will do one of the following - First, it will see if the rule inherits any phase setting from a previously defined SecDefaultAction. Second, if there is no phase inheritance from a SecDefaultAction setting, it will inherit the default setting which is phase:2. Question2 ------------------------------------------------------------------------ --------- It's not clear to me - does the SecDefaultAction directive - override the actions specified in following SecRules ? [Ryan Barnett] No, any actions specified on an individual rule takes precedence over SecDefault action settings. The only area where this becomes a bit confusing is with transformation functions. Trans functions are additive. This means if that if you specify a trans function on an individual rule, it will be applied after any inherited functions from a previous SecDefaultAction directive. The default transformation function setting, if one is not specified, is - lowercase, replaceNulls and compressWhitespace (in this order). If you want to clear out any trans functions on a specific rule, you need to use "t:none" and then specify exactly what you want to apply to the specific rule. ------------------------------------------------------------------------ --------- For example - if I use the following global "log and pass" security policy. >> SecDefaultAction "phase:2,log,pass,status:500" would this override a "deny" specified in a SecRule that follows - like this: >> SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "deny,log,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',,id:'960017'," [Ryan Barnett] No, the deny action on the individual rule takes precedence. OR - is the SecDefaultAction directive only good for SecRules that have not specified ANY action ? [Ryan Barnett] SecDefaultAction will apply to all of the rules that follow it (in the same phase) unless either another SecDefaultAction is specified or an action is specified on the individual rule. The core_rules comments seem to indicate SecDefaultAction can override following SecRule actions... >From the documentation..... >>#.....You can also leave the >># default setting here as is, but use per rule action configuration >># to only configure some rules to reject requests, leaving most >># of them to work in detection mode. Well - where can we find an example of this ? [Ryan Barnett] This is in reference to actions on rules taking precedence. I'm trying to use the "ctl:????" action to force this rule to deny in my custom *.conf file: modsecurity_crs_60_customrules.conf but there isn't any ctl:defaultAction configuration option ? [Ryan Barnett] Not sure what you mean here? Should I just do the following (where ip xxx.xxx.xxx.xxx is some numeric IP I want to allow...): SecRuleRemoveById 960017 SecDefaultAction "phase:2,log,deny,status:500" SecRule REQUEST_HEADERS:Host "!^(xxx.xxx.xxx.xxx)$" "deny,log,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',,id:'1000'," SecDefaultAction "phase:2,log,pass,status:500" [Ryan Barnett] You are trying to add a rule that will allow clients to specify a certain IP address in the request's Host header correct? Additionally, you probably don't want to allow people to specify other/non-valid IP addresses in the Host header, right? In this case, you don't need to disable the existing Core Rule. Just add the following rule to a modsecurity_crs_15_customrules.conf file as this will be evaluated before the existing Core Rule 960017 - SecRule REQUEST_HEADERS:Host "!^(xxx.xxx.xxx.xxx)$" "deny,log,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',,id:'1000'," Any thoughts appreciated.... Thanks Frank ________________________________ Connect to the next generation of MSN Messenger Get it now! <http://imagine-msn.com/messenger/launch80/default.aspx?locale=3Den-us&so= u rce=3Dwlmailtagline>=20 |
