2 Jul 15:38
Re: the @pm operator inmodsecurity_crs_40_generic_attacks.conf
From: Stephen Craig Evans <stephencraig.evans <at> gmail.com>
Subject: Re: the @pm operator inmodsecurity_crs_40_generic_attacks.conf
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-07-02 13:38:27 GMT
Subject: Re: the @pm operator inmodsecurity_crs_40_generic_attacks.conf
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-07-02 13:38:27 GMT
Yes, that helps a lot - to use it as a speedy filter. After RTFM, it appears to have the same functionality as @contain and that I can use @streq if I want a whole word match. Thanks, Stephen On Wed, Jul 2, 2008 at 8:24 PM, Ryan Barnett <Ryan.Barnett <at> breach.com> wrote: > It is important to understand the value/purpose that the set-based matching operator brings - speed. It is much faster that the regex operator (especially when the data it is inspecting is very large). With this being said, you also need to realiaze its shortcoming - decreased logic. It is simply a text string matcher and does not have the advaced logic of a regex. > > What we chose to do with the core rule set was to use the set-based matching operator as a "pre-qualifier" before running the more expensive regex checks. The @pm check casts a wide net to see if the data even has a chance of matching (as your example shows) and then the regex check would do further analysis (such as apply word boudary checks) to both rule out this false positive and confirm attack payloads with increased logic. > > Hope this helps. > > Thanks, > Ryan C. Barnett > > ----- Original Message ----- > From: mod-security-users-bounces <at> lists.sourceforge.net <mod-security-users-bounces <at> lists.sourceforge.net> > To: mod-security-users <at> lists.sourceforge.net <mod-security-users <at> lists.sourceforge.net> > Sent: Tue Jul 01 23:24:59 2008 > Subject: [mod-security-users] the @pm operator inmodsecurity_crs_40_generic_attacks.conf > > Hi, > > Is there any way to get the @pm operator to match only whole words? > > I am using the Command Injection rule in > modsecurity_crs_40_generic_attacks.conf and it seems there should be a > better way. > SecRule ARGS "@pm ping id rm ..." ""t:htmlEntityDecode,t:lowercase..." matches: > > Content-Type: application/x-www-form-urlencoded > Name=Sid > Destination=shipping > > Or am I doing something wrong? The reference manual > (modsecurity2-apache-reference.pdf) infers that it's a word match. > > TIA (Thanks In Advance), > Stephen > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > _______________________________________________ > mod-security-users mailing list > mod-security-users <at> lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
RSS Feed