4 Sep 17:01
Re: Has anyone ever used multiMatch?
Ivan Ristic <ivan.ristic <at> gmail.com>
2009-09-04 15:01:01 GMT
2009-09-04 15:01:01 GMT
I don't know, I haven't thought about it. I prefer not to take shortcuts. That way, I don't have to consider undesired consequences. On Fri, Sep 4, 2009 at 11:53 AM, Nick Gearls<nickgearls <at> gmail.com> wrote: > What's the exact problem of using only > t:none,t:htmlEntityDecode,t:cssDecode,t:jsDecode > > Do you see a possibility of missing an attack, or getting a false positive? > > Nick > > > Ivan Ristic wrote: >> To respond to my own email, I've never used multiMatch. I did >> encounter a situation where multiMatch would be useful, but it didn't >> quite do what I needed. As an example, below is an extract from some >> work that I never finished (it might have gone into the new Core >> Rules, though). >> >> ------------------------ >> # Do not allow control characters apart from horizontal tab (9/0x09), >> # line feed (10/0x0a) and carriage return (13/0x10). >> # >> # Ref: http://en.wikipedia.org/wiki/Control_character >> # Ref: http://www.w3.org/MarkUp/html3/specialchars.html >> # >> SecRule ARGS "@validateByteRange 9,10,13,32-255" \ >> t:none >> >> # Verify for invalid bytes in HTML content. >> # >> SecRule ARGS "@validateByteRange 9,10,13,32-255" \ >> t:none,t:htmlEntityDecode >> >> # Verify for invalid bytes in JavaScript context. >> # >> SecRule ARGS "@validateByteRange 9,10,13,32-255" \ >> t:none,t:htmlEntityDecode,t:jsDecode >> >> # Verify for invalid bytes in CSS context. >> # >> SecRule ARGS "@validateByteRange 9,10,13,32-255" \ >> t:none,t:htmlEntityDecode,t:cssDecode >> >> # TODO The above could be combined into one, really. >> ------------------------ >> >> Three of the above rules could be combined into one using multiMatch, >> but not all of them since there's a branch in the logic. >> >> >> >> On Fri, Aug 21, 2009 at 3:46 PM, Ivan Ristic<ivan.ristic <at> gmail.com> wrote: >>> I am really curious, has anyone ever used (or even thought about >>> using) the multiMatch action? >>> >>> http://www.modsecurity.org/documentation/modsecurity-apache/2.5.9/modsecurity2-apache-reference.html#N1182A >>> >>> -- >>> Ivan Ristic >>> Security assessment of your SSL servers >>> https://www.ssllabs.com/ssldb/ >> > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > mod-security-users mailing list > mod-security-users <at> lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > -- -- Ivan Ristic Security assessment of your SSL servers https://www.ssllabs.com/ssldb/ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html
RSS Feed