Re: Issue with TX macro expansion in SecRule regexes
Christian Folini <christian.folini <at> time-machine.ch>
2013-05-21 13:17:16 GMT
Hello,
There has not been any feedback on this subject. I have looked into the
documentation again and thought I would provide some additional
information so the next person stumbling over this issue might at least
find something on google.
The Changelog lists "Added support to macro expansion for rx
operator." for 2.6.2-rc1.
The Reference Guide says
"You cannot use macro expansion for operators that are "compiled" such
as <at> pm, <at> rx, etc. as these operators have their values fixed at
configure time for efficiency."
That looks like a contradiction to me.
In my previous message, I noted, that the core-rules use macro expansion in
the operator part of the SecRule statement. Actully modsecurity_crs_30_http_policy.conf
only uses the TX macro expansion together with <at> within, which is
advertised in the Reference Guide under Macro Expansion.
The initial issue persists though. This works:
SecAction "phase:1,id:1,pass,nolog,setvar:'TX.cookielist=cookie1|cookie2'"
SecRule RESPONSE_HEADERS:/Set-Cookie/ "%{tx.cookielist}" "phase:3,id:2,t:none,pass,log,msg:'HIT'"
This does not work:
SecAction "phase:1,id:1,pass,nolog,setvar:'TX.cookielist=cookie1|cookie2'"
SecRule RESPONSE_HEADERS:/Set-Cookie/ "(%{tx.cookielist})" "phase:3,id:2,t:none,pass,log,msg:'HIT'"
Now is the changelog wrong, the documentation or my reasoning?
Cheers,
Christian
On Fri, May 10, 2013 at 10:47:31AM +0000, christian.folini <at> post.ch wrote:
> Hi there,
>
> ModSec 2.6.2 introduced macro expansion for SecRule regex matches. This is not really documented
> in the handbook, but it works and the core rules make good use of the feature. However, I hit a dead end, when
trying to extend the regex containing
> the macro. First it works, but as soon as I introduce brackets, the regex is being escaped in an
> undesired way.
>
> My whole plan may sound crazy, but actually, it's not that queer. Let's build it up step
> by step:
>
> Step 1 :
> The problem only occurs if we use macro expansion. The following works just fine, of course:
> SecRule RESPONSE_HEADERS:/Set-Cookie/ "(cookie1|cookie2)" "phase:3,id:2,t:none,pass,log,msg:'HIT'"
>
> Debug log:
> ... Executing operator "rx" with param "(cookie1|cookie2)" against RESPONSE_HEADERS:Set-Cookie.
>
> Step 2 :
> Now let's introduce a simple macro expansion with a pipe character. Still works.
> SecAction "phase:1,id:1,pass,nolog,setvar:'TX.cookielist=cookie1|cookie2'"
> SecRule RESPONSE_HEADERS:/Set-Cookie/ "%{tx.cookielist}" "phase:3,id:2,t:none,pass,log,msg:'HIT'"
>
> The debug log documents the macro expansion and escaping as follows:
> ... Executing operator "rx" with param "%{tx.cookielist}" against RESPONSE_HEADERS:Set-Cookie.
> ...
> ... Resolved macro %{tx.cookielist} to: cookie1|cookie2
> ... Escaping pattern [cookie1|cookie2]
>
> Step 3 :
> However, if we introduce brackets in the regex, they get escaped and the whole fun is thus spoiled
> SecAction "phase:1,id:1,pass,nolog,setvar:'TX.cookielist=cookie1|cookie2'"
> SecRule RESPONSE_HEADERS:/Set-Cookie/ "(%{tx.cookielist})" "phase:3,id:2,t:none,pass,log,msg:'HIT'"
>
> Debug log:
> ... Executing operator "rx" with param "(%{tx.cookielist})" against RESPONSE_HEADERS:Set-Cookie.
> ...
> ... Resolved macro %{tx.cookielist} to: cookie1|cookie2
> ... Escaping pattern [\(cookie1|cookie2\)]
>
>
> Maybe my brain is playing tricks on me or the problem is not within ModSec but
> in pcre. But when looking through the O'Reilly book I did not find an answer
> and playing around with more obscure things like regex modifiers only meant that the
> modifier would be escaped too. So I am at loss here. If one would be able to
> suppress that escaping function, it might work out.
>
> Has anybody tried this before are can somebody think of a trick to make it work?
>
> Regs,
>
> Christian
>
>
>
> Christian Folini
> Unix Engineer, Apache Security Specialist
>
> Die Schweizerische Post
> Services
> Informationstechnologie
> Betrieb, IT 222 extern
> Webergutstrasse 12
> 3030 Bern (Zollikofen)
> Mobile +41 79 300 32 03
> E-Mail: christian.folini <at> post.ch<http://folini.tikon.ch>
> Internet: http://www.post.ch / http://folini.tikon.ch
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and
> their applications. This 200-page book is written by three acclaimed
> leaders in the field. The early access version is available now.
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
--
--
Christian Folini - <christian.folini <at> netnea.com>
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Am 06.05.2013 16:34, schrieb Breno Silva:
> Reindl,
>
> Final implementaion is here 
RSS Feed