kwenu | 13 Sep 13:31 2011

Does ctl:ruleUpdateTargetById work when in ANOMALY MODE

Apache 2.2.20
 [notice] ModSecurity for Apache/2.6.1 ( configured.
 [notice] ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5"
 [notice] ModSecurity: PCRE compiled version="8.12"; loaded version="8.12 2011-01-15"
 [notice] ModSecurity: LIBXML compiled version="2.6.23"

I am using crs 2.2.2 revision 1837

I have an unusual problem here - the following rule does not do what i expect it to do

SecRule REQUEST_HEADERS:Host " <at> streq xxxxxxxxxxx" \

In modsecs audit file it outputs the following

SecRule "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_pers" " <at> rx (^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" "phase:2,log,rev:2.2.2,capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: Common Injection Testing Detected',id:981318,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

So for some reason this rule is creating multiple !REQUEST_COOKIES within the rule i am updating  - im quite sure this is a bug as this was working well in 2.2.0

I have used different builds of apache also usign different version of apr and pcre but to no avail

The rule is not doing what i hoped it would - does such rules work in anomaly mode since would seem to suggest they do not

BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the 
BlackBerry&reg; mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry&reg; DevCon today! 
mod-security-users mailing list
mod-security-users <at>
ModSecurity Services from Trustwave's SpiderLabs: