Re: problem with my regex and single line HTMLcomment in RESPONSE_BODY

I think you want a ModSecurity IDE... I've dreamed of one myself. It's
feasible, from a technical point of view, but requires a commitment of
resources to implement.

Questions below.

On Thu, Jul 3, 2008 at 3:14 PM, Stephen Craig Evans
<stephencraig.evans <at> gmail.com> wrote:
> Hi Achim,
>
> Pardon me if my rant is off-topic, but this seems to be a good place
> for it for me now.
>
> In the 60+ hours in the last 5 days that I have spent writing
> ModSecurity rules for WebGoat vulnerabilities, more than half of that
> time has been spent on getting the regex's working. I am so tired of
> reading the debug file to see how my regex is being interpreted.
>
> I feel like I am a slave to the PCRE engine instead of the opposite.

We are all slaves, Stephen, just slaves :)

Can we channel your rant into something useful: how about a suggestion?

>
> It's not rocket science:
> 1. I want an account number that has digits, characters and a hyphen,
> but no spaces or special characters.
> 2. I want a password that has alphanumeric and special chars, but has
> no spaces or '>' and '<'.
> 3. I want a user name with chars, ', -, and spaces but nothing else.
>
> I could do this much easier and faster writing Java, C#, or C (which
> is why ModSecurity is written in C; check the source for
> urlDecodeUni).

Why would writing in C be easier for you? The regular expressions
would be the same?

> I'm at the point where I think it's easier to write my own routines in
> Lua and build my own library for reuse; disclaimer: I don't need
> speed.
>
> (/end of rant)
>
> Stephen
>
>
>
> On Thu, Jul 3, 2008 at 7:10 PM, Achim Hoffmann <ah <at> securenet.de> wrote:
>> !! Yes, we do use PCRE underneath. We don't do anything with the regular
>> !! expression... we just pass it to the PCRE engine, compiling with
>>
>> thanks Ivan for this information (which could be found in the docs,
>> I believe:)
>>
>> !!  "PCRE_DOTALL
>>
>> this means that the s modifier in the regex is obsolete, somehow
>> As the core-rules set uses (?i:) modifiers, someone -who initially
>> understands that- might think to use (?s:) also.
>> On the other hand: does (?m:) change it back to "dot does not match
>> newline"? This is not documented in http://www.pcre.org/pcre.txt
>> However, perlre man-page is accurate in that behaviour.
>>
>> !! | PCRE_DOLLAR_ENDONLY".
>>
>> hmm, this causes some questions how ModSecurity handles "strings",
>> for example:
>>  is the whole HTTP header passed to the rules, or each line
>>  (means what is separated by \r\n) individually?
>>  That would make some difference, I guess.
>>  You need to know that when writing rules.
>>
>> Before going deeper into that (and some more examples), I'd
>> suggest to point this out in the docs. I mean to describe how
>> the different parts of the request/response is handled by ModSec.
>>
>> Achim
>>
>>
>
> -------------------------------------------------------------------------
> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> Studies have shown that voting for your favorite open source project,
> along with a healthy diet, reduces your potential for chronic lameness
> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

--

-- 
Ivan Ristic

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08