mod-security-users

[mod-security-users] Reason for case discrpency in variable names?

[Quinn C. <qu...@st...>]

Hello all,

Under the `drop` section in the v2.x reference manual [1], there is this example:

SecAction phase:1,id:109,initcol:ip=%{REMOTE_ADDR},nolog
SecRule ARGS:login "!^$" "nolog,phase:1,id:110,setvar:ip.auth_attempt=+1,deprecatevar:ip.auth_attempt=25/120"
SecRule IP:AUTH_ATTEMPT "@gt 25" "log,drop,phase:1,id:111,msg:'Possible Brute Force Attack'"

I notice that `ip.auth_attempt` is all lowercase, while `IP:AUTH_ATTEMPT` is all uppercase. Is this the required format? I find it confusing if a variable is lowercase in one location but uppercase in another, so I'm hoping the above example is an error and it would be better to standard the case of variables as they are used in rules?

I couldn't find anywhere in the manual where it is suggested that SecRule variables should be uppercase while SecRule and SecAction actions use lowercase variables. In fact, there is an example under the description of SecAction [2], where an uppercase variable is initialized as `initcol:RESOURCE=…`, and I've seen other examples on the web where lowercase variable names are used as SecRule variables.

Just trying to make sense of this.

Thanks!
Quinn


[1] https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#drop
[2] https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secaction

Re: [mod-security-users] Reason for case discrpency in variable names?

[Andrew H. <rub...@gm...>]

Hello Quinn,

The syntax for *using* variables is subtly different to the syntax for
*defining* variables, e.g.
    setvar:tx.my_thing
versus
    SecRule TX:my_thing

At least in the Core Rule Set project, we try to emphasise this
difference by using upper-case letters for the collection (e.g. TX)
when *using* a variable and lower-case letters (e.g. tx) when
*defining* a variable. In addition, lower-case letters are used for
variables in both cases. (See:
https://github.com/coreruleset/coreruleset/blob/v3.4/dev/CONTRIBUTING.md#variable-naming-conventions).

It looks like the example from the ModSecurity Reference Manual you
mentioned also changes the case of the variable name, for even more
emphasis.

Hopefully that answers your question.

Thanks,
Andrew

Re: [mod-security-users] Reason for case discrpency in variable names?

[Quinn C. <qu...@st...>]

Thanks Andrew!


On 29 Oct 2021 11:12:35, Andrew Howe wrote:
> Hello Quinn,
> 
> The syntax for *using* variables is subtly different to the syntax for
> *defining* variables, e.g.
>     setvar:tx.my_thing
> versus
>     SecRule TX:my_thing
> 
> At least in the Core Rule Set project, we try to emphasise this
> difference by using upper-case letters for the collection (e.g. TX)
> when *using* a variable and lower-case letters (e.g. tx) when
> *defining* a variable. In addition, lower-case letters are used for
> variables in both cases. (See:
> https://github.com/coreruleset/coreruleset/blob/v3.4/dev/CONTRIBUTING.md#variable-naming-conventions).
> 
> It looks like the example from the ModSecurity Reference Manual you
> mentioned also changes the case of the variable name, for even more
> emphasis.
> 
> Hopefully that answers your question.
> 
> Thanks,
> Andrew
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>