Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: kwenu <uzoka_a <at> yahoo.co.uk>
Subject: Does ctl:ruleUpdateTargetById work when in ANOMALY MODE
Newsgroups: gmane.comp.apache.mod-security.user
Date: Tuesday 13th September 2011 11:31:13 UTC (over 5 years ago)
Apache 2.2.20
  [notice] ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/) 
configured.
  [notice] ModSecurity: APR compiled version="1.4.5"; loaded
version="1.4.5"
  [notice] ModSecurity: PCRE compiled version="8.12"; loaded 
version="8.12 2011-01-15"
  [notice] ModSecurity: LIBXML compiled version="2.6.23"

I am using crs 2.2.2 revision 1837

I have an unusual problem here - the following rule does not do what i 
expect it to do

SecRule REQUEST_HEADERS:Host "@streq xxxxxxxxxxx" \
    
"phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=981318;!REQUEST_COOKIES:x_xxxx"

In modsecs audit file it outputs the following

SecRule 
"REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|*!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_pers*"

"@rx 
(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"

"phase:2,log,rev:2.2.2,capture,t:none,t:urlDecodeUni,block,msg:'SQL 
Injection Attack: Common Injection Testing 
Detected',id:981318,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

So for some reason this rule is creating multiple !REQUEST_COOKIES 
within the rule i am updating  - im quite sure this is a bug as this was 
working well in 2.2.0

I have used different builds of apache also usign different version of 
apr and pcre but to no avail

The rule is not doing what i hoped it would - does such rules work in 
anomaly mode since 
http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html

would seem to suggest they do not
 
CD: 10ms