2 Jul 14:22
Re: the @pm operator inmodsecurity_crs_40_generic_attacks.conf
From: Ryan Barnett <Ryan.Barnett <at> Breach.com>
Subject: Re: the @pm operator inmodsecurity_crs_40_generic_attacks.conf
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-07-02 12:24:37 GMT
Subject: Re: the @pm operator inmodsecurity_crs_40_generic_attacks.conf
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-07-02 12:24:37 GMT
It is important to understand the value/purpose that the set-based matching operator brings - speed. It is much faster that the regex operator (especially when the data it is inspecting is very large). With this being said, you also need to realiaze its shortcoming - decreased logic. It is simply a text string matcher and does not have the advaced logic of a regex. What we chose to do with the core rule set was to use the set-based matching operator as a "pre-qualifier" before running the more expensive regex checks. The @pm check casts a wide net to see if the data even has a chance of matching (as your example shows) and then the regex check would do further analysis (such as apply word boudary checks) to both rule out this false positive and confirm attack payloads with increased logic. Hope this helps. Thanks, Ryan C. Barnett ----- Original Message ----- From: mod-security-users-bounces <at> lists.sourceforge.net <mod-security-users-bounces <at> lists.sourceforge.net> To: mod-security-users <at> lists.sourceforge.net <mod-security-users <at> lists.sourceforge.net> Sent: Tue Jul 01 23:24:59 2008 Subject: [mod-security-users] the @pm operator inmodsecurity_crs_40_generic_attacks.conf Hi, Is there any way to get the @pm operator to match only whole words? I am using the Command Injection rule in modsecurity_crs_40_generic_attacks.conf and it seems there should be a better way. SecRule ARGS "@pm ping id rm ..." ""t:htmlEntityDecode,t:lowercase..." matches: Content-Type: application/x-www-form-urlencoded Name=Sid Destination=shipping Or am I doing something wrong? The reference manual (modsecurity2-apache-reference.pdf) infers that it's a word match. TIA (Thanks In Advance), Stephen ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
RSS Feed