Hi,
Result of solutions are not the same:
- The first enable to whitelist / allow only one predefined pattern
- Second disable rule so every content-type are allowed
I prefer the first, for me security is better.
I added exception in file modsecurity_crs_11_local_exceptions.conf.
Final exception rule is:
SecRule SERVER_NAME <domain>
"chain,phase:1,id:'XX',t:none,nolog,pass,msg:'authorize special content-type'"
SecRule REQUEST_URI /foo/bar "chain"
SecRule REQUEST_HEADERS:Content-Type
"^application/foobar.v\d+\.\d+\+json$"
"setvar:tx.allowed_request_content_type=%{MATCHED_VAR}"
It enable to whitelist pattern as foobarv1.1+json, foobarv1.2+json,
foobarv2.9+json.
String concatenation with '|' can be nice feature i think to cover some complex
cases.
Thank you very much for your help
David
----- Original Message -----
From: "Franziska Buehler" <franziska.buehler.schmoc...@gmail.com>
To: "David Goudet" <david.gou...@lyra-network.com>
Cc: owasp-modsecurity-core-rule-set@lists.owasp.org
Sent: Tuesday, February 7, 2017 9:47:15 PM
Subject: Re: [Owasp-modsecurity-core-rule-set] Usage of regex in action
setvar:'tx.allowed_request_content_type'?
> Or, of course, another, simpler possibility is to just remove the rule.
> Just replace the setvar action in the proposed rule with
> ctl:ruleRemoveById=960010.
Regards,
Franziska
----- Forwarded Message -----
From: "Franziska Buehler" <franziska.buehler.schmoc...@gmail.com>
To: "David Goudet" <david.gou...@lyra-network.com>
Cc: owasp-modsecurity-core-rule-set@lists.owasp.org
Sent: Tuesday, February 7, 2017 9:15:34 PM
Subject: Re: [Owasp-modsecurity-core-rule-set] Usage of regex in action
setvar:'tx.allowed_request_content_type'?
> Hi David
> I found the following solution which worked in my environment (adapted
> to your posted rules):
> SecRule SERVER_NAME <domaine>
> "chain,phase:1,id:'2414',t:none,nolog,pass,msg:'authorize special
> content-type'"
> SecRule REQUEST_URI /foo/ "chain"
> SecRule REQUEST_HEADERS:Content-Type "@rx
> application/foo\.bar\.v\d\+json"
> "setvar:tx.allowed_request_content_type=%{MATCHED_VAR}"
> You have to put it after the Include of modsecurity_crs_10_setup.conf,
> but before the Include of the Core Rules.
> The regexp within the setvar statement doesn't work. I first had to catch it
> in a separate chained rule to use it in setvar afterwards.
> The string concatenation with '|' doesn't work either. As far as I
> understand, this is not (yet) implemented. But I think it's enough, to
> have exactly the Content-Type you want?
> I didn't test it on Centos7, but I hope it works for you.
> Regards,
> Franziska
2017-01-31 15:25 GMT+01:00 David Goudet <david.gou...@lyra-network.com>:
> Hi,
>
> I have question about management of blocking case with rule 960010.
>
> First information about context:
>
> # Audit log
> --7d320124-B--
> # Request
> POST /foo HTTP/1.1
> Host: <domaine>
> ..
> Content-Type: application/foo.bar.v1+json
> ..
>
> --7d320124-H--
> # Trace of blocking action
> Message: Access denied with code 406 (phase 2). Pattern match "(.*)" at
> TX:960010-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-TX:0. [file
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_49_inbound_blocking.conf"]
> [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score:
> 10, SQLi=0, XSS=0): Last Matched Message: Request content type is not allowed
> by policy"] [data "Last Matched Data: application/foo.bar.v1+json"]
> Message: Warning. Operator GE matched 10 at TX:inbound_anomaly_score. [file
> "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"]
> [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound
> Score: 10, SQLi=0, XSS=0): Request content type is not allowed by policy"]
> Action: Intercepted (phase 2)
>
> # Rule: 960010 (modsecurity_crs_30_http_policy.conf)
> SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$"
> "phase:1,chain,t:none,block,msg:'Request content type is not allowed by
> policy',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',id:'960010',tag:'OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'2',logdata:'%{matched_var}'"
> SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture"
> SecRule TX:0 "!^%{tx.allowed_request_content_type}$"
> "t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
>
> # Configuration of variable allowed_request_content_type
> (modsecurity_crs_10_setup.conf)
> SecAction \
> "id:'900012', \
> phase:1, \
> t:none, \
> ...
>
> setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|text/plain|application/xml|application/x-amf|application/json|application/soap+xml|application/octet-stream|multipart/related',
> \
> ...
> nolog, \
> pass"
>
> Whitelist on this specific case is working with something like this:
> SecRule SERVER_NAME <domaine>
> "chain,phase:1,id:'2414',t:none,nolog,pass,msg:'authorize special
> content-type'"
> SecRule REQUEST_URI /foo/
> setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|application/foo.bar.v1+json'
>
> But the version in the content-type will change (foo.bar.v1.1+json,
> foo.bar.v2+json, ...) and i want to prevent to add new value at each new
> version of application. (I know, it is recommanded to use dedicated field for
> this custom usage).
>
> To enable multiple version, I am trying to use regex on
> setvar:'tx.allowed_request_content_type' action but regex is escaped:
> setvar:'tx.allowed_request_content_type=...|application/foo.bar.v?+json'
>
> # Debug log
> [31/Jan/2017:15:09:36 +0100]
> [<domaine>/sid#7f9d2318ec38][rid#7f9ce4019ed0][/foo][9] Target value:
> "application/foo.bar.v1+json"
> [31/Jan/2017:15:09:36 +0100]
> [<domaine>/sid#7f9d2318ec38][rid#7f9ce4019ed0][/foo][9] Resolved macro
> %{tx.allowed_request_content_type} to: ....|application/foo.bar.v1+json
> [31/Jan/2017:15:09:36 +0100]
> [<domaine>/sid#7f9d2318ec38][rid#7f9ce4019ed0][/foo][6] Escaping pattern
> [^...|application\/foo\.bar\.v\?\+json$]
>
> Is it possible to use regex on setvar:'tx.allowed_request_content_type'
> action (prevent escaping regex)? Which solution is recommanded to cover this
> case (whitelist multiple value in variable allowed_request_content_type
> without add one by one each version)?
>
> My environnement is Centons7, versions of packages:
> mod_security-2.7.3-5.el7.x86_64
> modsecurity-crs_2.2.9
>
>
> Thank you for your help !
>
>
> --
>
> David GOUDET
>
> LYRA NETWORK
> Poste | Service
> Tel : +33 (0)5 32 09 09 74 | Poste : 574
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
--
David GOUDET
LYRA NETWORK
Poste | Service
Tel : +33 (0)5 32 09 09 74 | Poste : 574
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
