13 Sep 2011 13:31
Does ctl:ruleUpdateTargetById work when in ANOMALY MODE
kwenu <uzoka_a <at> yahoo.co.uk>
2011-09-13 11:31:13 GMT
2011-09-13 11:31:13 GMT
Apache 2.2.20
[notice] ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/) configured.
[notice] ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5"
[notice] ModSecurity: PCRE compiled version="8.12"; loaded version="8.12 2011-01-15"
[notice] ModSecurity: LIBXML compiled version="2.6.23"
I am using crs 2.2.2 revision 1837
I have an unusual problem here - the following rule does not do what i expect it to do
SecRule REQUEST_HEADERS:Host " <at> streq xxxxxxxxxxx" \
"phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=981318;!REQUEST_COOKIES:x_xxxx"
In modsecs audit file it outputs the following
SecRule "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_pers" " <at> rx (^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" "phase:2,log,rev:2.2.2,capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: Common Injection Testing Detected',id:981318,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
So for some reason this rule is creating multiple !REQUEST_COOKIES within the rule i am updating - im quite sure this is a bug as this was working well in 2.2.0
I have used different builds of apache also usign different version of apr and pcre but to no avail
The rule is not doing what i hoped it would - does such rules work in anomaly mode since http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html would seem to suggest they do not
[notice] ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/) configured.
[notice] ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5"
[notice] ModSecurity: PCRE compiled version="8.12"; loaded version="8.12 2011-01-15"
[notice] ModSecurity: LIBXML compiled version="2.6.23"
I am using crs 2.2.2 revision 1837
I have an unusual problem here - the following rule does not do what i expect it to do
SecRule REQUEST_HEADERS:Host " <at> streq xxxxxxxxxxx" \
"phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=981318;!REQUEST_COOKIES:x_xxxx"
In modsecs audit file it outputs the following
SecRule "REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!REQUEST_COOKIES:s_pers|!REQUEST_COOKIES:s_pers" " <at> rx (^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)" "phase:2,log,rev:2.2.2,capture,t:none,t:urlDecodeUni,block,msg:'SQL Injection Attack: Common Injection Testing Detected',id:981318,logdata:%{TX.0},severity:2,tag:WEB_ATTACK/SQL_INJECTION,tag:WASCTC/WASC-19,tag:OWASP_TOP_10/A1,tag:OWASP_AppSensor/CIE1,tag:PCI/6.5.2,setvar:tx.msg=%{rule.msg},setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
So for some reason this rule is creating multiple !REQUEST_COOKIES within the rule i am updating - im quite sure this is a bug as this was working well in 2.2.0
I have used different builds of apache also usign different version of apr and pcre but to no avail
The rule is not doing what i hoped it would - does such rules work in anomaly mode since http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html would seem to suggest they do not
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1
_______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/application-security.php
RSS Feed