Hello Jai,
That's a good question.
We are not overly happy with the way this is done. So there are discussions to
overhaul this completely.
However, when you have an non-xml request, then ARGS and ARGS_NAMES will be
populated. And there are a few cases where REQUEST_BODY is indeed covered
and this can result in double hits on the same rule on the same payload.
Cheers,
Christian
On Wed, Jan 02, 2019 at 02:09:06PM -0600, Jai Harpalani wrote:
> There are many OWASP CRS rules which have XML in the list of operators, but
> not REQUEST_BODY. An example of one is below.
>
> SecRule
> REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*
> "@pmf lfi-os-files.data" \
> "phase:request,\
> msg:'OS File Access Attempt',\
> rev:'4',\
> ver:'OWASP_CRS/3.0.0',\
> maturity:'9',\
> accuracy:'9',\
> capture,\
> t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
> block,\
> id:930120,\
> . . .
>
> This rule is searching for patterns specified in lfi-os-files.data. It is
> not using Xpath expressions. The XML operator will be empty for non-xml
> requests or when the xml parser is disabled. In these cases, wouldn't we
> still want to search the request body for patterns specified in
> lfi-os-files.data? Is there a reason that the patterns are only searched
> for in the request body for XML requests?
> ___
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
___
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set