4 Jul 09:12
Re: problem with my regex and single lineHTMLcomment in RESPONSE_BODY
From: <christian.folini <at> post.ch>
Subject: Re: problem with my regex and single lineHTMLcomment in RESPONSE_BODY
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-07-04 07:12:42 GMT
Subject: Re: problem with my regex and single lineHTMLcomment in RESPONSE_BODY
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-07-04 07:12:42 GMT
Hey Stephen, You are touching an interesting subject here: How to write rules and test them out efficiently? Or in your words: > For now I would be happy with just a shell command line interface where I can input the regex, > then proceed by entering different strings and knowing if they match or not. I work with 4 shells on a single screen and I believe I get quite close to what you are looking for. - 1 (top left): Apache config - 2 (bottom left): Apache commands (-> alias "apareload") - 3 (bottom right): curl commands - 4 (top right): tail on the debug log (this can be filtered with tail -f ... | grep -v (...|...|...) Alias apareload: That is a command alias to reloading that apache with the latest timestamp on the command line. This is very helpful when you play around with multiple apaches and configs. If you want to be really nifty, then you can script apareload into a while loop and whenever you press enter in that shell window, it reloads apache. I do almost all my testing with "curl -v". Sometimes directly, sometimes scripted into an adhoc shell script (like: proceed by entering different strings). Looking at the http status, I can determine wether it matched or not. Sometimes I write multiple rules and have each one return a redirect to a different location. That way I can determine which one triggered. The same information is also in the debug log, but most of the time, the http response is enough for me. Note the counterclockwise arrangement of the shell windows. Edit Apache, reload Apache, run curl, check the debug log, run curl, check the output or proceed with the debug log on top. Then eyes to the left again to the apache config. Of course, you can also arrange it clockwise or any other way. It's just the way the works for me. Your mileage may vary. Maybe that's all obvious to you guys. But I believe it is useful for newbies to get into a short reconfigure->tryout cycle. With the setup pointed out above, it takes merely a few seconds. regs, Christian -----Ursprüngliche Nachricht----- Von: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-security-users-bounces <at> lists.sourceforge.net] Im Auftrag von Stephen Craig Evans Gesendet: Freitag, 4. Juli 2008 08:32 An: Ivan Ristic Cc: Christian Bockermann; mod-security-users <at> lists.sourceforge.net; Brian Rectanus; Achim Hoffmann; Ryan Barnett Betreff: Re: [mod-security-users] problem with my regex and single lineHTMLcomment in RESPONSE_BODY Hi, I'm a little embarrassed about yesterday's outburst - I guess reading debug files for so long made me a little nutso. Ivan, back to your idea of a ModSecurity console... I think a large part of my frustration (besides sucking at writing regex'scomes from having to modify the .conf file, restart Apache, run a test case, then wade through the debug log file just to see if it worked or not. In a couple of weeks after I've hit the 50% project completion milestone and I compile and install 2.5.5, I'll look more closely at the C functions in msc_pcre.c. Perhaps it won't be too difficult to write a C program that can call those directly or call the function calls that ModSecurity calls. For now I would be happy with just a shell command line interface where I can input the regex, then proceed by entering different strings and knowing if they match or not. I am writing many WebGoat sublesson-specific regex's and this would save me a lot of time I believe. Cheers, Stephen On Fri, Jul 4, 2008 at 8:55 AM, Ivan Ristic <ivanr <at> webkreator.com> wrote: > Achim Hoffmann wrote: >> >> ... >> >> >> Thanks for your in-depth examples, I'm going to analyze that but they >> don't really answer what I asked for according PCRE_DOLLAR_ENDONLY >> and PCRE_DOTALL and how ModSecurity passes "strings" to the regex engine. > > We pass them as they are. What is passed depends on the variable you use. > Headers, which you mentioned in your previous emails, we get from > Apache and pass them through. As far as I know it's just a string, > because Apache will collapse folded headers. > > In other places (e.g. parameters) you will get newlines if they are there. > > Ivan > > ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
RSS Feed