Re: the @pm operator inmodsecurity_crs_40_generic_attacks.conf

> -----Original Message-----
> From: Stephen Craig Evans [mailto:stephencraig.evans <at> gmail.com]
> Sent: Wednesday, July 02, 2008 9:38 AM
> To: Ryan Barnett
> Cc: mod-security-users <at> lists.sourceforge.net
> Subject: Re: [mod-security-users] the @pm operator
> inmodsecurity_crs_40_generic_attacks.conf
> 
> Yes, that helps a lot - to use it as a speedy filter.
> 
> After RTFM, it appears to have the same functionality as @contain
[Ryan Barnett] @contains does allow for a string match however it
differs in that it is not as fast but does allow for macro expansion.

> and that I can use @streq if I want a whole word match.
> 
[Ryan Barnett] This is true, however you need to keep in mind that many
times the attacks are injection type of issues and the @streq operator
is looking to match the ENTIRE payload.  So, if you wanted to use it to
filter if someone was trying to access the /etc/password file -

SecRule ARGS "@streq /etc/passwd"

It would catch this -

http://www.example.com/cgi-bin/foo.php?param=/etc/passwd

but not this -

http://www.example.com/cgi-bin/foo.php?param=12345;cat%20/etc/passwd

Using the @streq operator is usually a better choice for positive
security types of rules where you can explicitly list what payloads
should be.

-Ryan

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08