Re: REQUEST_BODY has some XML

Just wanted to share with the rest, Ryan's pointer worked for me.

In my modsecurity_crs_10_config.conf i set:

SecRule REQUEST_FILENAME " <at> streq /cgi-bin/form.pl" \
"chain,phase:1,id:'981053',t:none,t:lowercase,pass,nolog"
SecRule REQBODY_PROCESSOR "! <at> streq XML" "ctl:requestBodyProcessor=XML"

In my modsecurity_crs_15_customrules.conf i set:

SecRule XML " <at> validateSchema /etc/apache2/xsd/test.xsd" \
"phase:2,log,auditlog,deny,status:403,msg:'XSD check failed',tag:'MOD  
SECURITY  
TEST',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},id:'500001',severity:2"

With the above settings, i was able to test a request (to:  
/cgi/bin/form.pl) with REQUEST_HEADER = Content-type:  
application/x-www-form-urlencoded and changed the xml values in my post to  
make the xsd check fail.

Thanks much,
-Usman

> Thanks for the pointer, will check it out.
>
>> SecRule REQUEST_FILENAME " <at> streq /path/to/file.php" \
>>         "chain,phase:1,id:'1',t:none,t:lowercase,pass,nolog"
>>         SecRule REQBODY_PROCESSOR "! <at> streq XML"
>> "ctl:requestBodyProcessor=XML"
>
>

--

-- 
Using Opera's revolutionary email client: http://www.opera.com/mail/

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/