|
From: homesh j. <ho...@gm...> - 2020-01-17 06:42:31
|
Hi All,
I am referring to below Rule
SecRule
REQUEST_URI|ARGS|!ARGS:fileContent|!ARGS:/_edit_/|!ARGS:/details/|!ARGS:/block_value/|!ARGS:/News/|!ARGS:/products_/|!ARGS:/article/|!ARGS:/template/|!ARGS:editor1|!ARGS:prefix|!ARGS:suffix|!ARGS:/info/|!ARGS:payment_extrainfo|!ARGS:file|!ARGS:thecode|!ARGS:/chat/|!ARGS:snippet|!ARGS:/phpcode/|!ARGS:intro|!ARGS:/title/|!ARGS:/data_parent/|!ARGS:code|!ARGS:lajmi|!ARGS:/content/|!ARGS:/desc/|!ARGS:/hilit/|!ARGS:/hilight/|!ARGS:/highlight/|!ARGS:/body/|!ARGS:/post/|!ARGS:/txt|!ARGS:/content/|!ARGS:/keyword/|!ARGS:/summary/|!ARGS:/note/|!ARGS:/solution/|!ARGS:/msg/|!ARGS:/highlight/|!ARGS:/text/|!ARGS:/subject/|!ARGS:/message/|!ARGS:/post/|!ARGS:/resolution/|!ARGS:/problem/
"(?:;|/|\|
)(?:\b(?:cat|ls|perl|uname|pwd|cp|tclsh8?|cpp|f(?:etch|tp)|python|chown|rm|ping|rsync|rdiff-backup|scp|wget|curl|links|g\+\+|ch(?:grp|own)|passwd|r?(?:b|d)ash|t?c?sh|telnet|clang|nc)\b
|\b(?:sleep|benchmark)\b \(? ?[0-9]|powershell -w|\bkill(?:
(?:[0-9]|-)|all\ ))" \
"log,auditlog,phase:2,deny,log,status:403,capture,id:5001,t:none,t:utf8toUnicode,t:urlDecodeUni,t:replaceNulls,t:cmdLine,rev:32,severity:2,msg:'Others',tag:'Attack
Blocked - command in REQUEST_URI or Argument',logdata:'%{TX.0}'"
Rule is getting trigger for following URL
http://www.example.com/ls;
And rule is not getting triggered for following URL
http://www.example.com/ls
looking at following regex from rule on regex101.com I don' t understand
why at the end ";" is required to trigger the rule.
(?:;|/|\|
)(?:\b(?:cat|ls|perl|uname|pwd|cp|tclsh8?|cpp|f(?:etch|tp)|python|chown|rm|ping|rsync|rdiff-backup|scp|wget|curl|links|g\+\+|ch(?:grp|own)|passwd|r?(?:b|d)ash|t?c?sh|telnet|clang|nc)\b
|\b(?:sleep|benchmark)\b \(? ?[0-9]|powershell -w|\bkill(?:
(?:[0-9]|-)|all\ ))" \
Thanks,
Homesh
|
|
From: Christian F. <chr...@ne...> - 2020-01-17 06:58:10
|
Hello Homesh,
The regex looks like Atomicorp rule 340029. Making the semicolon mandatory
was a decision by the person writing the rule. Maybe done in order to avoid
some false positives. Have you tried asking Atomicorp / gotRoot support?
Best,
Christian
On Fri, Jan 17, 2020 at 12:12:11PM +0530, homesh joshi wrote:
> Hi All,
>
> I am referring to below Rule
>
> SecRule
> REQUEST_URI|ARGS|!ARGS:fileContent|!ARGS:/_edit_/|!ARGS:/details/|!ARGS:/block_value/|!ARGS:/News/|!ARGS:/products_/|!ARGS:/article/|!ARGS:/template/|!ARGS:editor1|!ARGS:prefix|!ARGS:suffix|!ARGS:/info/|!ARGS:payment_extrainfo|!ARGS:file|!ARGS:thecode|!ARGS:/chat/|!ARGS:snippet|!ARGS:/phpcode/|!ARGS:intro|!ARGS:/title/|!ARGS:/data_parent/|!ARGS:code|!ARGS:lajmi|!ARGS:/content/|!ARGS:/desc/|!ARGS:/hilit/|!ARGS:/hilight/|!ARGS:/highlight/|!ARGS:/body/|!ARGS:/post/|!ARGS:/txt|!ARGS:/content/|!ARGS:/keyword/|!ARGS:/summary/|!ARGS:/note/|!ARGS:/solution/|!ARGS:/msg/|!ARGS:/highlight/|!ARGS:/text/|!ARGS:/subject/|!ARGS:/message/|!ARGS:/post/|!ARGS:/resolution/|!ARGS:/problem/
> "(?:;|/|\|
> )(?:\b(?:cat|ls|perl|uname|pwd|cp|tclsh8?|cpp|f(?:etch|tp)|python|chown|rm|ping|rsync|rdiff-backup|scp|wget|curl|links|g\+\+|ch(?:grp|own)|passwd|r?(?:b|d)ash|t?c?sh|telnet|clang|nc)\b
> |\b(?:sleep|benchmark)\b \(? ?[0-9]|powershell -w|\bkill(?:
> (?:[0-9]|-)|all\ ))" \
>
> "log,auditlog,phase:2,deny,log,status:403,capture,id:5001,t:none,t:utf8toUnicode,t:urlDecodeUni,t:replaceNulls,t:cmdLine,rev:32,severity:2,msg:'Others',tag:'Attack
> Blocked - command in REQUEST_URI or Argument',logdata:'%{TX.0}'"
>
> Rule is getting trigger for following URL
>
> http://www.example.com/ls;
>
> And rule is not getting triggered for following URL
>
> http://www.example.com/ls
>
> looking at following regex from rule on regex101.com I don' t understand
> why at the end ";" is required to trigger the rule.
> (?:;|/|\|
> )(?:\b(?:cat|ls|perl|uname|pwd|cp|tclsh8?|cpp|f(?:etch|tp)|python|chown|rm|ping|rsync|rdiff-backup|scp|wget|curl|links|g\+\+|ch(?:grp|own)|passwd|r?(?:b|d)ash|t?c?sh|telnet|clang|nc)\b
> |\b(?:sleep|benchmark)\b \(? ?[0-9]|powershell -w|\bkill(?:
> (?:[0-9]|-)|all\ ))" \
>
> Thanks,
> Homesh
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
|
From: homesh j. <ho...@gm...> - 2020-01-17 07:15:43
|
Hi Christian, Thanks for your reply. I wanted to understand the regex. can you please help me with that? I wanted to know which part of the regex is making ";" mandatory *at the end*. as I tested by putting ";" at the beginning then also rule is not getting triggered. http://www.example.com/;ls <http://www.example.com/ls> Thanks, Homesh On Fri, Jan 17, 2020 at 12:31 PM Christian Folini < chr...@ne...> wrote: > Hello Homesh, > > The regex looks like Atomicorp rule 340029. Making the semicolon mandatory > was a decision by the person writing the rule. Maybe done in order to avoid > some false positives. Have you tried asking Atomicorp / gotRoot support? > > Best, > > Christian > > On Fri, Jan 17, 2020 at 12:12:11PM +0530, homesh joshi wrote: > > Hi All, > > > > I am referring to below Rule > > > > SecRule > > > REQUEST_URI|ARGS|!ARGS:fileContent|!ARGS:/_edit_/|!ARGS:/details/|!ARGS:/block_value/|!ARGS:/News/|!ARGS:/products_/|!ARGS:/article/|!ARGS:/template/|!ARGS:editor1|!ARGS:prefix|!ARGS:suffix|!ARGS:/info/|!ARGS:payment_extrainfo|!ARGS:file|!ARGS:thecode|!ARGS:/chat/|!ARGS:snippet|!ARGS:/phpcode/|!ARGS:intro|!ARGS:/title/|!ARGS:/data_parent/|!ARGS:code|!ARGS:lajmi|!ARGS:/content/|!ARGS:/desc/|!ARGS:/hilit/|!ARGS:/hilight/|!ARGS:/highlight/|!ARGS:/body/|!ARGS:/post/|!ARGS:/txt|!ARGS:/content/|!ARGS:/keyword/|!ARGS:/summary/|!ARGS:/note/|!ARGS:/solution/|!ARGS:/msg/|!ARGS:/highlight/|!ARGS:/text/|!ARGS:/subject/|!ARGS:/message/|!ARGS:/post/|!ARGS:/resolution/|!ARGS:/problem/ > > "(?:;|/|\| > > > )(?:\b(?:cat|ls|perl|uname|pwd|cp|tclsh8?|cpp|f(?:etch|tp)|python|chown|rm|ping|rsync|rdiff-backup|scp|wget|curl|links|g\+\+|ch(?:grp|own)|passwd|r?(?:b|d)ash|t?c?sh|telnet|clang|nc)\b > > |\b(?:sleep|benchmark)\b \(? ?[0-9]|powershell -w|\bkill(?: > > (?:[0-9]|-)|all\ ))" \ > > > > > "log,auditlog,phase:2,deny,log,status:403,capture,id:5001,t:none,t:utf8toUnicode,t:urlDecodeUni,t:replaceNulls,t:cmdLine,rev:32,severity:2,msg:'Others',tag:'Attack > > Blocked - command in REQUEST_URI or Argument',logdata:'%{TX.0}'" > > > > Rule is getting trigger for following URL > > > > http://www.example.com/ls; > > > > And rule is not getting triggered for following URL > > > > http://www.example.com/ls > > > > looking at following regex from rule on regex101.com I don' t > understand > > why at the end ";" is required to trigger the rule. > > (?:;|/|\| > > > )(?:\b(?:cat|ls|perl|uname|pwd|cp|tclsh8?|cpp|f(?:etch|tp)|python|chown|rm|ping|rsync|rdiff-backup|scp|wget|curl|links|g\+\+|ch(?:grp|own)|passwd|r?(?:b|d)ash|t?c?sh|telnet|clang|nc)\b > > |\b(?:sleep|benchmark)\b \(? ?[0-9]|powershell -w|\bkill(?: > > (?:[0-9]|-)|all\ ))" \ > > > > Thanks, > > Homesh > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
