17 Aug 15:04
Re: Performance tip
From: Ryan Barnett <rcbarnett <at> gmail.com>
Subject: Re: Performance tip
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2006-08-17 13:04:42 GMT
Subject: Re: Performance tip
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2006-08-17 13:04:42 GMT
Doing some RegEx searching about comments... Doesn't this syntax work for adding comments - (?#comment)
So the updated RegEx code would look like this -
SecFilterSelective VAR "(\
KEYWORD1(?#signature comment1)|\
KEYWORD2(?#signature comment2)|\
KEYWORD3(?#signature comment3))"
KEYWORD1(?#signature comment1)|\
KEYWORD2(?#signature comment2)|\
KEYWORD3(?#signature comment3))"
Here is an example entry -
SecFilterSelective THE_REQUEST "(\
ps\x20(?#WEB-ATTACKS /bin/ps command attempt)|\
wget\x20(?#WEB-ATTACKS wget command attempt)|\
uname\x20-a(?#WEB-ATTACKS uname -a command attempt))"
ps\x20(?#WEB-ATTACKS /bin/ps command attempt)|\
wget\x20(?#WEB-ATTACKS wget command attempt)|\
uname\x20-a(?#WEB-ATTACKS uname -a command attempt))"
I just ran a test and it worked. Here is the audit_log entry -
========================================
Request: 192.168.1.102 - - [[17/Aug/2006:09:02:21 --0400]] "GET /wget%20http://www.test.com/test.zip HTTP/1.1" 404 0
Handler: cgi-script
----------------------------------------
GET /wget%20http://www.test.com/test.zip HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0
; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: 192.168.1.103
Connection: Keep-Alive
mod_security-message: Access denied with code 403. Pattern match "(ps\x20(?#WEB-ATTACKS /bin/ps command attempt)|wget\x20(?#WEB-ATTACKS wget command attempt)|uname\x20-a(?#WEB-ATTACKS uname -a command attempt))" at THE_REQUEST.
mod_security-action: 403
HTTP/1.1 (null)
--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
On 8/17/06, Ivan Ristic <ivan.ristic <at> gmail.com
> wrote:
On 8/17/06, Alex V. < alex-security <at> ssji.net> wrote:
> I'm absolutely not a regexp expert, but I'm wondering if it could not be
> possible to write the regexp like this (or something similar):
>
> SecFilterSelective VAR (
> KEYWORD1| # Comment explaining this match
> KEYWORD2| # Comment explaining this match
> KEYWORD3| # Comment explaining this match
> KEYWORD4| # Comment explaining this match
> KEYWORD5| # Comment explaining this match
> KEYWORD6 # Comment explaining this match
> )
It is not possible to use comments, but it is possible to break the
regular expressions into multiple lines. like this.
SecFilterSelective VAR "(\
KEYWORD1|\
KEYWORD2|\
KEYWORD3)"
It is important to not have any whitespace at the beginning of the
line or before the continuation character "\".
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users
RSS Feed