Hello,
This message is going to the ModSec users ML and the CRS ML. It's a
new rule idea I have for the CRS, but maybe the wider audience has a
solution.
It is fairly simple to do a rule which takes a parameter, runs a
transformation and checks if the transformation changed anything.
Here a simple example with t:lowercase on parameter a.
SecRule ARGS:foo "^." "id:1001,phase:2,deny,\
msg:'%{MATCHED_VAR_NAME} : Transformation revealed difference',chain"
SecRule ARGS:foo "!@streq %{MATCHED_VARS}" "t:lowercase"
I have tried to get this working for _all_ ARGS. Thus a generic rule
working no matter what parameters are sent to the server. But to no
avail.
The problem is that chains are execute in the order of the rules,
not the order of the parameters. In other words: First all the
parameters are matched against the first SecRule. Then all the
parameters are matched against the 2nd SecRule. A match on the first
SecRule on parameter #1 will thus be overwritten by the match on
parameter #2 when ModSec reaches the 2nd rule for parameter #1.
This behaviour is a bit counterintuitive and it kills many interesting
rule ideas (it probably also allows many interesting rule ideas, but
who cares about things that work, if you can complain about things
that don't). It's also killing this idea. Or let's say I have been
grinding my teeth into this problem on and off for a few days and
I have not found a solution.
So the question is: Is there a way around this limitation?
Can we create a SecRule as above that works for all parameters?
Ahoj,
Christian
--
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.fol...@netnea.com
twitter: @ChrFolini
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
