mlogc gets struck

Hi,

Has anyone experienced problems with mlogc where it just gets stuck and
eats up the cpu on the machine?
Apparently we ran into this problem on one of our machines.
The strace was empty and there is no way to tell what happened.
The mlogc error log level was set to 1 so not much there.

My settings in the mlogc.conf are as follows:

ErrorLogLevel      1
MaxConnections      10
MaxWorkerRequests   1000
TransactionDelay    250
StartupDelay        5000
CheckpointInterval  60
ServerErrorTimeout  60

Thanks,
Usman

--

-- 
Using Opera's revolutionary email client: http://www.opera.com/mail/

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2

Re: Availability of ModSecurity 2.6.2

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: Disable All SQLI Rules (or All Rules) for certain parameter

From: Todd Michael Bushnell <todd <at> toorsecurity.com<mailto:todd <at> toorsecurity.com>>
Date: Mon, 26 Sep 2011 16:38:57 -0500
To:
"mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>" <mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>>
Subject: [mod-security-users] Disable All SQLI Rules (or All Rules) for certain parameter

I know how to use SecRuleUpdateTargetById to stop running rules against, for example, certain sections of
a request.  For example:

SecRuleUpdateTargetById 123456 "!ARGS:foo"

What I would like to effectively do is what I'm doing above, but for all SQL Injection rules at one time,
rather than one ID at a time, as there is no point in running expensive SQL injection rules against that
above parameter.

Understood.  I think what is needed is a new directive/action – SecRuleUpdateTargetByTag and
ctl:ruleUpdateTargetByTag as this would allow you to update rule variable lists in mass to exclude
specific parameter data.  Please open a Jira ticket for this new feature - https://www.modsecurity.org/tracker/

One question for you – are you running the OWASP CRS in anomaly scoring mode?  If so, you do a work-around in
the meantime.  See the final "Anomaly Scoring Exceptions" section of this blog post -
http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html.
 Essentially, you let the rules run as they are and then you write a custom rule in a 48 local rules file (that
runs right before the 49 inbound blocking rules) and then you can adjust the anomaly score down if you find a
TX variable found SQLi in that parameter – ARGS:foo.

-Ryan

Alternatively, I could even turn the rule engine off for this parameter, if that's possible.  Something
like SecRuleRemoveByTag, but only for one or a few parameters rather than globally or for an entire page.  
My goal here is not to simply pass, but to disable the run because these rules are causing unacceptable
performance degradation so I'd rather they not run against certain irrelevant parameters.  Thx much.

todd

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: Disable All SQLI Rules (or All Rules) for certain parameter

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

mod_security and XML

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: mod_security and XML

You need a rule that activates the XML request body parser.

If you use the recommended base config it will handle this for you -
http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#A_Recommended_Base_Configuration


Ryan

On Oct 5, 2011, at 7:09 PM, "Martin Sperl" <Martin.Sperl <at> amdocs.com> wrote:

Hi!

I got a simple single rule like this:
SecRule REQUEST_BODY "<wsse:Username>(.*)</wsse:Username>" phase:2,capture,t:none,setenv:SOAPUser=%{TX.1}

And no other rules configured at all!

When I send in the request with curl like this:
curl -k http://hostname/whatever/the/url --data-binary "<wsse:Username>mytest</wsse:Username>"

Then mod_security does match the regexp and set the environment variable.

But when I send the SAME request like this:
curl -k http://hostname/whatever/the/url --data-binary "<wsse:Username>mytest</wsse:Username>"
-H "Content-Type: text/xml;charset=UTF-8"

it does not match and thus does not set the environment variable – even though it contains the SAME post.

In the matching case I get in the debug logs (set to 9) a line like this:
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][5] Adding request argument
(BODY): name "<wsse:Username>mytest</wsse:Username>", value ""

This does not happen when sending the Content-Type header…

Is there an easy way to make it work in BOTH cases or at least to achieve the same in both cases

Thanks,
                Martin

P.s: Here the full debug log:

The request without the content-type:
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Initialising
transaction (txid Tozg4AoKCvwAADp5kI4AAAAB).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Transaction context
created (dcfg 7f1582da1e18).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] First phase starting
(dcfg 7f1582da1e18).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase REQUEST_HEADERS.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 0 rule(s).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Second phase starting
(dcfg 7f1582da1e18).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Reading
request body.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Input filter: Bucket type
HEAP contains 37 bytes.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Input filter: Bucket type
EOS contains 0 bytes.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][5] Adding request argument
(BODY): name "<wsse:Username>mytest</wsse:Username>", value ""
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Completed
receiving request body (length 37).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase REQUEST_BODY.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 1 rule(s).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Recipe: Invoking rule
7f1582e0d370; [file "/etc/httpd/modsecurity.d/ourrules.conf"] [line "4"].
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][5] Rule 7f1582e0d370:
SecRule "REQUEST_BODY" " <at> rx <wsse:Username>(.*)</wsse:Username>" "phase:2,log,auditlog,pass,capture,t:none,setenv:SOAPUser=%{TX.1}"
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Transformation
completed in 7 usec.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Executing operator "rx"
withparam "<wsse:Username>(.*)</wsse:Username>" against REQUEST_BODY.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Target value: "<wsse:Username>mytest</wsse:Username>"
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Added regex
subexpression toTX.0: <wsse:Username>mytest</wsse:Username>
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Added regex
subexpression toTX.1: mytest
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Operator completed in 83 usec.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Setting env variable: SOAPUser=%{TX.1}
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Resolved macro %{TX.1}
to: mytest
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Set env variable
"SOAPUser" to: mytest
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][2] Warning. Pattern match
"<wsse:Username>(.*)</wsse:Username>" at REQUEST_BODY. [file
"/etc/httpd/modsecurity.d/ourrules.conf"] [line "4"]
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Rule returned 1.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Match -> mode NEXT_RULE.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook insert_filter:
Adding input forwarding filter (r 7f1582f0b8f8).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook insert_filter:
Adding output filter (r 7f1582f0b8f8).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Forwarding
input: mode=0, block=0, nbytes=8192 (f 7f1582f14908, r 7f1582f0b8f8).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Forwarded
37 bytes.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Sent EOS.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Input
forwarding complete.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook
insert_error_filter: Adding output filter (r 7f1582f0b8f8).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Output filter: Receiving
output (f 7f1582f14bb0, r 7f1582f0b8f8).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase RESPONSE_HEADERS.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 0 rule(s).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Content Injection: Not enabled.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Output filter: Bucket
type HEAP contains 296 bytes.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Output filter: Bucket
type EOS contains 0 bytes.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Output filter: Completed
receiving response body (buffered full - 296 bytes).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase RESPONSE_BODY.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 0 rule(s).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Output filter: Output
forwarding complete.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Initialising logging.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase LOGGING.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 0 rule(s).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Recording persistent
data took 0 microseconds.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Audit log: Not configured
torun for this request.

The request with the mime-type header set:
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Initialising
transaction (txid Tozg6goKCvwAADp6kUAAAAAC).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Transaction context
created (dcfg 7f1582da1e18).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] First phase starting
(dcfg 7f1582da1e18).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase REQUEST_HEADERS.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 0 rule(s).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Second phase starting
(dcfg 7f1582da1e18).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Reading
request body.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Input filter: Bucket type
HEAP contains 37 bytes.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Input filter: Bucket type
EOS contains 0 bytes.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Request body no files
length: 0
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Completed
receiving request body (length 37).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase REQUEST_BODY.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 1 rule(s).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Recipe: Invoking rule
7f1582e0d370; [file "/etc/httpd/modsecurity.d/ourrules.conf"] [line "4"].
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][5] Rule 7f1582e0d370:
SecRule "REQUEST_BODY" " <at> rx <wsse:Username>(.*)</wsse:Username>" "phase:2,log,auditlog,pass,capture,t:none,setenv:SOAPUser=%{TX.1}"
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Rule returned 0.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] No match, not chained ->
mode NEXT_RULE.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook insert_filter:
Adding input forwarding filter (r 7f1582f0b8f8).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook insert_filter:
Adding output filter (r 7f1582f0b8f8).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Forwarding
input: mode=0, block=0, nbytes=8192 (f 7f1582f148f0, r 7f1582f0b8f8).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Forwarded
37 bytes.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Sent EOS.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Input
forwarding complete.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook
insert_error_filter: Adding output filter (r 7f1582f0b8f8).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Output filter: Receiving
output (f 7f1582f14b98, r 7f1582f0b8f8).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase RESPONSE_HEADERS.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 0 rule(s).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Content Injection: Not enabled.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Output filter: Bucket
type HEAP contains 296 bytes.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Output filter: Bucket
type EOS contains 0 bytes.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Output filter: Completed
receiving response body (buffered full - 296 bytes).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase RESPONSE_BODY.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 0 rule(s).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Output filter: Output
forwarding complete.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Initialising logging.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase LOGGING.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 0 rule(s).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Recording persistent
data took 0 microseconds.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Audit log: Not configured
torun for this request.


This message and the information contained herein is proprietary and confidential and subject to the
Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp



------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/

http://www.modsecurity.org/projects/commercial/support/


________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: mod_security and XML

Hi Ryan!

I had tried this as well before posting here - it does NOT solve the issue...
(I had removed all the default rules so that I could minimize the reported data and avoid unwanted sideeffects)

BTW: the same seems to apply also to response - if it is has an xml mime-type then I cannot get match the body via
a regexp (it seems empty)...

Thanks,
	Martin

-----Original Message-----
From: Ryan Barnett [mailto:RBarnett <at> trustwave.com] 
Sent: Wednesday, October 05, 2011 16:16
To: Martin Sperl
Cc: mod-security-users <at> lists.sourceforge.net
Subject: Re: [mod-security-users] mod_security and XML

You need a rule that activates the XML request body parser.

If you use the recommended base config it will handle this for you -
http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#A_Recommended_Base_Configuration


Ryan

On Oct 5, 2011, at 7:09 PM, "Martin Sperl" <Martin.Sperl <at> amdocs.com> wrote:

Hi!

I got a simple single rule like this:
SecRule REQUEST_BODY "<wsse:Username>(.*)</wsse:Username>" phase:2,capture,t:none,setenv:SOAPUser=%{TX.1}

And no other rules configured at all!

When I send in the request with curl like this:
curl -k http://hostname/whatever/the/url --data-binary "<wsse:Username>mytest</wsse:Username>"

Then mod_security does match the regexp and set the environment variable.

But when I send the SAME request like this:
curl -k http://hostname/whatever/the/url --data-binary "<wsse:Username>mytest</wsse:Username>"
-H "Content-Type: text/xml;charset=UTF-8"

it does not match and thus does not set the environment variable – even though it contains the SAME post.

In the matching case I get in the debug logs (set to 9) a line like this:
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][5] Adding request argument
(BODY): name "<wsse:Username>mytest</wsse:Username>", value ""

This does not happen when sending the Content-Type header…

Is there an easy way to make it work in BOTH cases or at least to achieve the same in both cases

Thanks,
                Martin

P.s: Here the full debug log:

The request without the content-type:
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Initialising
transaction (txid Tozg4AoKCvwAADp5kI4AAAAB).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Transaction context
created (dcfg 7f1582da1e18).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] First phase starting
(dcfg 7f1582da1e18).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase REQUEST_HEADERS.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 0 rule(s).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Second phase starting
(dcfg 7f1582da1e18).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Reading
request body.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Input filter: Bucket type
HEAP contains 37 bytes.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Input filter: Bucket type
EOS contains 0 bytes.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][5] Adding request argument
(BODY): name "<wsse:Username>mytest</wsse:Username>", value ""
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Completed
receiving request body (length 37).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase REQUEST_BODY.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 1 rule(s).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Recipe: Invoking rule
7f1582e0d370; [file "/etc/httpd/modsecurity.d/ourrules.conf"] [line "4"].
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][5] Rule 7f1582e0d370:
SecRule "REQUEST_BODY" " <at> rx <wsse:Username>(.*)</wsse:Username>" "phase:2,log,auditlog,pass,capture,t:none,setenv:SOAPUser=%{TX.1}"
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Transformation
completed in 7 usec.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Executing operator "rx"
withparam "<wsse:Username>(.*)</wsse:Username>" against REQUEST_BODY.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Target value: "<wsse:Username>mytest</wsse:Username>"
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Added regex
subexpression toTX.0: <wsse:Username>mytest</wsse:Username>
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Added regex
subexpression toTX.1: mytest
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Operator completed in 83 usec.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Setting env variable: SOAPUser=%{TX.1}
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Resolved macro %{TX.1}
to: mytest
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Set env variable
"SOAPUser" to: mytest
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][2] Warning. Pattern match
"<wsse:Username>(.*)</wsse:Username>" at REQUEST_BODY. [file
"/etc/httpd/modsecurity.d/ourrules.conf"] [line "4"]
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Rule returned 1.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Match -> mode NEXT_RULE.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook insert_filter:
Adding input forwarding filter (r 7f1582f0b8f8).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook insert_filter:
Adding output filter (r 7f1582f0b8f8).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Forwarding
input: mode=0, block=0, nbytes=8192 (f 7f1582f14908, r 7f1582f0b8f8).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Forwarded
37 bytes.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Sent EOS.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Input
forwarding complete.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook
insert_error_filter: Adding output filter (r 7f1582f0b8f8).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Output filter: Receiving
output (f 7f1582f14bb0, r 7f1582f0b8f8).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase RESPONSE_HEADERS.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 0 rule(s).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Content Injection: Not enabled.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Output filter: Bucket
type HEAP contains 296 bytes.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Output filter: Bucket
type EOS contains 0 bytes.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Output filter: Completed
receiving response body (buffered full - 296 bytes).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase RESPONSE_BODY.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 0 rule(s).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Output filter: Output
forwarding complete.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Initialising logging.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase LOGGING.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 0 rule(s).
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Recording persistent
data took 0 microseconds.
[05/Oct/2011:22:57:36 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Audit log: Not configured
torun for this request.

The request with the mime-type header set:
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Initialising
transaction (txid Tozg6goKCvwAADp6kUAAAAAC).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Transaction context
created (dcfg 7f1582da1e18).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] First phase starting
(dcfg 7f1582da1e18).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase REQUEST_HEADERS.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 0 rule(s).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Second phase starting
(dcfg 7f1582da1e18).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Reading
request body.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Input filter: Bucket type
HEAP contains 37 bytes.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Input filter: Bucket type
EOS contains 0 bytes.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Request body no files
length: 0
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Completed
receiving request body (length 37).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase REQUEST_BODY.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 1 rule(s).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Recipe: Invoking rule
7f1582e0d370; [file "/etc/httpd/modsecurity.d/ourrules.conf"] [line "4"].
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][5] Rule 7f1582e0d370:
SecRule "REQUEST_BODY" " <at> rx <wsse:Username>(.*)</wsse:Username>" "phase:2,log,auditlog,pass,capture,t:none,setenv:SOAPUser=%{TX.1}"
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Rule returned 0.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] No match, not chained ->
mode NEXT_RULE.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook insert_filter:
Adding input forwarding filter (r 7f1582f0b8f8).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook insert_filter:
Adding output filter (r 7f1582f0b8f8).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Forwarding
input: mode=0, block=0, nbytes=8192 (f 7f1582f148f0, r 7f1582f0b8f8).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Forwarded
37 bytes.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Sent EOS.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input filter: Input
forwarding complete.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook
insert_error_filter: Adding output filter (r 7f1582f0b8f8).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Output filter: Receiving
output (f 7f1582f14b98, r 7f1582f0b8f8).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase RESPONSE_HEADERS.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 0 rule(s).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Content Injection: Not enabled.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Output filter: Bucket
type HEAP contains 296 bytes.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Output filter: Bucket
type EOS contains 0 bytes.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Output filter: Completed
receiving response body (buffered full - 296 bytes).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase RESPONSE_BODY.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 0 rule(s).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Output filter: Output
forwarding complete.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Initialising logging.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Starting phase LOGGING.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This phase consists of 0 rule(s).
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Recording persistent
data took 0 microseconds.
[05/Oct/2011:22:57:46 +0000]
[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Audit log: Not configured
torun for this request.


This message and the information contained herein is proprietary and confidential and subject to the
Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp



------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/

http://www.modsecurity.org/projects/commercial/support/


________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: mod_security and XML

If you are activating the XML request body parser, then you should use the
XML:/Username/text() XPath variable in your rule instead of REQUEST_BODY.
Here is the debug log

#############
Rule 101427888: SecRule "XML:/Username/text()" " <at> rx (.*)"
"phase:2,pass,log,capture,t:none,setenv:SOAPUser=%{TX.1}"
Transformation completed in 1 usec.
Executing operator "rx" with param "(.*)" against XML:/Username/text().
Target value: "mytest"
Added regex subexpression to TX.0: mytest
Added regex subexpression to TX.1: mytest
Operator completed in 15 usec.
Setting env variable: SOAPUser=%{TX.1}
Resolved macro %{TX.1} to: mytest
Set env variable "SOAPUser" to: mytest
Warning. Pattern match "(.*)" at XML. [file
"/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_15_customrules.
conf"] [line "2"]
#############

If you want to force the use of REQUEST_BODY variable, then I suggest you
add a custom rule to do so like this -

SecRule REQUEST_URI " <at> streq /path/to/file"
"phase:1,t:none,nolog,pass,ctl:forceRequestBodyVariable=On"

This will populate the REQUEST_BODY variable with data.  I added this type
of rule and then ran your same test and it works -

#############

Rule 10141ef48: SecRule "REQUEST_BODY" " <at> rx
<wsse:Username>(.*)</wsse:Username>"
"phase:2,pass,log,capture,t:none,setenv:SOAPUser=%{TX.1}"
Transformation completed in 0 usec.
Executing operator "rx" with param "<wsse:Username>(.*)</wsse:Username>"
against REQUEST_BODY.
Target value: "<wsse:Username>mytest</wsse:Username>"
Added regex subexpression to TX.0: <wsse:Username>mytest</wsse:Username>
Added regex subexpression to TX.1: mytest
Operator completed in 18 usec.
Setting env variable: SOAPUser=%{TX.1}
Resolved macro %{TX.1} to: mytest
Set env variable "SOAPUser" to: mytest
Warning. Pattern match "<wsse:Username>(.*)</wsse:Username>" at
REQUEST_BODY. [file
"/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_15_customrules.
conf"] [line "2"]
#############

-Ryan

On 10/5/11 7:29 PM, "Martin Sperl" <Martin.Sperl <at> amdocs.com> wrote:

>Hi Ryan!
>
>I had tried this as well before posting here - it does NOT solve the
>issue...
>(I had removed all the default rules so that I could minimize the
>reported data and avoid unwanted sideeffects)
>
>BTW: the same seems to apply also to response - if it is has an xml
>mime-type then I cannot get match the body via a regexp (it seems
>empty)...
>
>Thanks,
>        Martin
>
>-----Original Message-----
>From: Ryan Barnett [mailto:RBarnett <at> trustwave.com]
>Sent: Wednesday, October 05, 2011 16:16
>To: Martin Sperl
>Cc: mod-security-users <at> lists.sourceforge.net
>Subject: Re: [mod-security-users] mod_security and XML
>
>You need a rule that activates the XML request body parser.
>
>If you use the recommended base config it will handle this for you -
>http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Referen
>ce_Manual#A_Recommended_Base_Configuration
>
>Ryan
>
>On Oct 5, 2011, at 7:09 PM, "Martin Sperl" <Martin.Sperl <at> amdocs.com>
>wrote:
>
>Hi!
>
>I got a simple single rule like this:
>SecRule REQUEST_BODY "<wsse:Username>(.*)</wsse:Username>"
>phase:2,capture,t:none,setenv:SOAPUser=%{TX.1}
>
>And no other rules configured at all!
>
>When I send in the request with curl like this:
>curl -k http://hostname/whatever/the/url --data-binary
>"<wsse:Username>mytest</wsse:Username>"
>
>Then mod_security does match the regexp and set the environment variable.
>
>But when I send the SAME request like this:
>curl -k http://hostname/whatever/the/url --data-binary
>"<wsse:Username>mytest</wsse:Username>" -H "Content-Type:
>text/xml;charset=UTF-8"
>
>it does not match and thus does not set the environment variable ­ even
>though it contains the SAME post.
>
>In the matching case I get in the debug logs (set to 9) a line like this:
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][5]
>Adding request argument (BODY): name
>"<wsse:Username>mytest</wsse:Username>", value ""
>
>This does not happen when sending the Content-Type headerŠ
>
>Is there an easy way to make it work in BOTH cases or at least to achieve
>the same in both cases
>
>Thanks,
>                Martin
>
>P.s: Here the full debug log:
>
>The request without the content-type:
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Initialising transaction (txid Tozg4AoKCvwAADp5kI4AAAAB).
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Transaction context created (dcfg 7f1582da1e18).
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] First
>phase starting (dcfg 7f1582da1e18).
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Starting phase REQUEST_HEADERS.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This
>phase consists of 0 rule(s).
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Second phase starting (dcfg 7f1582da1e18).
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input
>filter: Reading request body.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Input
>filter: Bucket type HEAP contains 37 bytes.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Input
>filter: Bucket type EOS contains 0 bytes.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][5]
>Adding request argument (BODY): name
>"<wsse:Username>mytest</wsse:Username>", value ""
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input
>filter: Completed receiving request body (length 37).
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Starting phase REQUEST_BODY.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This
>phase consists of 1 rule(s).
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Recipe: Invoking rule 7f1582e0d370; [file
>"/etc/httpd/modsecurity.d/ourrules.conf"] [line "4"].
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][5] Rule
>7f1582e0d370: SecRule "REQUEST_BODY" " <at> rx
><wsse:Username>(.*)</wsse:Username>"
>"phase:2,log,auditlog,pass,capture,t:none,setenv:SOAPUser=%{TX.1}"
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Transformation completed in 7 usec.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Executing operator "rx" withparam "<wsse:Username>(.*)</wsse:Username>"
>against REQUEST_BODY.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9]
>Target value: "<wsse:Username>mytest</wsse:Username>"
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Added
>regex subexpression toTX.0: <wsse:Username>mytest</wsse:Username>
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Added
>regex subexpression toTX.1: mytest
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Operator completed in 83 usec.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9]
>Setting env variable: SOAPUser=%{TX.1}
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9]
>Resolved macro %{TX.1} to: mytest
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Set
>env variable "SOAPUser" to: mytest
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][2]
>Warning. Pattern match "<wsse:Username>(.*)</wsse:Username>" at
>REQUEST_BODY. [file "/etc/httpd/modsecurity.d/ourrules.conf"] [line "4"]
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Rule
>returned 1.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Match
>-> mode NEXT_RULE.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook
>insert_filter: Adding input forwarding filter (r 7f1582f0b8f8).
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook
>insert_filter: Adding output filter (r 7f1582f0b8f8).
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input
>filter: Forwarding input: mode=0, block=0, nbytes=8192 (f 7f1582f14908, r
>7f1582f0b8f8).
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input
>filter: Forwarded 37 bytes.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input
>filter: Sent EOS.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input
>filter: Input forwarding complete.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook
>insert_error_filter: Adding output filter (r 7f1582f0b8f8).
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9]
>Output filter: Receiving output (f 7f1582f14bb0, r 7f1582f0b8f8).
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Starting phase RESPONSE_HEADERS.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This
>phase consists of 0 rule(s).
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9]
>Content Injection: Not enabled.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9]
>Output filter: Bucket type HEAP contains 296 bytes.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9]
>Output filter: Bucket type EOS contains 0 bytes.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Output filter: Completed receiving response body (buffered full - 296
>bytes).
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Starting phase RESPONSE_BODY.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This
>phase consists of 0 rule(s).
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Output filter: Output forwarding complete.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Initialising logging.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Starting phase LOGGING.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This
>phase consists of 0 rule(s).
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Recording persistent data took 0 microseconds.
>[05/Oct/2011:22:57:36 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Audit
>log: Not configured torun for this request.
>
>The request with the mime-type header set:
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Initialising transaction (txid Tozg6goKCvwAADp6kUAAAAAC).
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Transaction context created (dcfg 7f1582da1e18).
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] First
>phase starting (dcfg 7f1582da1e18).
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Starting phase REQUEST_HEADERS.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This
>phase consists of 0 rule(s).
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Second phase starting (dcfg 7f1582da1e18).
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input
>filter: Reading request body.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Input
>filter: Bucket type HEAP contains 37 bytes.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] Input
>filter: Bucket type EOS contains 0 bytes.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Request body no files length: 0
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input
>filter: Completed receiving request body (length 37).
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Starting phase REQUEST_BODY.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This
>phase consists of 1 rule(s).
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Recipe: Invoking rule 7f1582e0d370; [file
>"/etc/httpd/modsecurity.d/ourrules.conf"] [line "4"].
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][5] Rule
>7f1582e0d370: SecRule "REQUEST_BODY" " <at> rx
><wsse:Username>(.*)</wsse:Username>"
>"phase:2,log,auditlog,pass,capture,t:none,setenv:SOAPUser=%{TX.1}"
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Rule
>returned 0.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] No
>match, not chained -> mode NEXT_RULE.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook
>insert_filter: Adding input forwarding filter (r 7f1582f0b8f8).
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook
>insert_filter: Adding output filter (r 7f1582f0b8f8).
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input
>filter: Forwarding input: mode=0, block=0, nbytes=8192 (f 7f1582f148f0, r
>7f1582f0b8f8).
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input
>filter: Forwarded 37 bytes.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input
>filter: Sent EOS.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Input
>filter: Input forwarding complete.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Hook
>insert_error_filter: Adding output filter (r 7f1582f0b8f8).
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9]
>Output filter: Receiving output (f 7f1582f14b98, r 7f1582f0b8f8).
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Starting phase RESPONSE_HEADERS.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This
>phase consists of 0 rule(s).
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9]
>Content Injection: Not enabled.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9]
>Output filter: Bucket type HEAP contains 296 bytes.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9]
>Output filter: Bucket type EOS contains 0 bytes.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Output filter: Completed receiving response body (buffered full - 296
>bytes).
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Starting phase RESPONSE_BODY.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This
>phase consists of 0 rule(s).
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Output filter: Output forwarding complete.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Initialising logging.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Starting phase LOGGING.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][9] This
>phase consists of 0 rule(s).
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4]
>Recording persistent data took 0 microseconds.
>[05/Oct/2011:22:57:46 +0000]
>[hostname/sid#7f1582e28e28][rid#7f1582f0b8f8][/whatever/the/url][4] Audit
>log: Not configured torun for this request.
>
>
>This message and the information contained herein is proprietary and
>confidential and subject to the Amdocs policy statement,
>you may review at http://www.amdocs.com/email_disclaimer.asp
>
>
>--------------------------------------------------------------------------
>----
>All the data continuously generated in your IT infrastructure contains a
>definitive record of customers, application performance, security
>threats, fraudulent activity and more. Splunk takes this data and makes
>sense of it. Business sense. IT sense. Common sense.
>http://p.sf.net/sfu/splunk-d2dcopy1
>_______________________________________________
>mod-security-users mailing list
>mod-security-users <at> lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>http://www.modsecurity.org/projects/commercial/rules/
>http://www.modsecurity.org/projects/commercial/support/
>
>________________________________
>This transmission may contain information that is privileged,
>confidential, and/or exempt from disclosure under applicable law. If you
>are not the intended recipient, you are hereby notified that any
>disclosure, copying, distribution, or use of the information contained
>herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
>received this transmission in error, please immediately contact the
>sender and destroy the material in its entirety, whether in electronic or
>hard copy format.

This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

after Upgrade from 2.6.1 to 2.6.2 SecRuleUpdateTargetById does not work as expected

Hi,

after Upgrade from 2.6.1 to 2.6.2 SecRuleUpdateTargetById does not work
as expected.

1.) Directive "SecRuleUpdateTargetById 973020
!REQUEST_COOKIES:/ISAWPLB/|!REQUEST_COOKIES:KAV-WWW|!REQUEST_COOKIES_NAM
ES:/ISAWPLB/|!REQUEST_COOKIES_NAMES:KAV-WWW" in
/etc/httpd/modsecurity.d/modsecurity_crs_60_customrules.conf

. in 2.6.1 the UpdateTargets are o.k.:

[06/Oct/2011:11:28:14 +0200]
[www.testsite.at/sid#2b2a0d365d58][rid#2b2a0e576200][/kav/][4] Recipe:
Invoking rule 2b2a0ddfe050; [file
"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injecti
on_attacks.conf"] [line "524"] [id "973020"].
[06/Oct/2011:11:28:14 +0200]
[www.testsite.at/sid#2b2a0d365d58][rid#2b2a0e576200][/kav/][5] Rule
2b2a0ddfe050: SecRule
"REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|
XML:/*|!REQUEST_COOKIES:/ISAWPLB/|!REQUEST_COOKIES:KAV-WWW|!REQUEST_COOK
IES_NAMES:/ISAWPLB/|!REQUEST_COOKIES_NAMES:KAV-WWW" " <at> pm ~ !  <at>  # $ % ^ &
* ( ) - + = { } [ ] | : ; \" ' \xc2\xb4 \xe2\x80\x99 \xe2\x80\x98 ` < >"
"phase:2,capture,id:973020,t:none,t:urlDecodeUni,log,pass,setvar:tx.rest
ricted_sqli_char_payloads_%{matched_var_name}=%{matched_var}"

. in 2.6.2 all UpdateTargets are missing:

[06/Oct/2011:11:33:47 +0200]
[www.testsite.at/sid#2b2a0e461958][rid#2b2a0e576200][/kav/][5] Rule
2b2a0da884a0: SecRule
"REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|
XML:/*" " <at> pm ~ !  <at>  # $ % ^ & * ( ) - + = { } [ ] | : ; \" ' \xc2\xb4
\xe2\x80\x99 \xe2\x80\x98 ` < >"
"phase:2,capture,id:973020,t:none,t:urlDecodeUni,log,pass,setvar:tx.rest
ricted_sqli_char_payloads_%{matched_var_name}=%{matched_var}"

2.) Change Directive to
-----------------------

SecRuleUpdateTargetById 973020 !REQUEST_COOKIES:/ISAWPLB/
SecRuleUpdateTargetById 973020 !REQUEST_COOKIES_NAMES:/ISAWPLB/
SecRuleUpdateTargetById 973020 !REQUEST_COOKIES:KAV-WWW
SecRuleUpdateTargetById 973020 !REQUEST_COOKIES_NAMES:KAV-WWW

. in 2.6.2 the UpdateTargets are o.k.:

[06/Oct/2011:11:37:31 +0200]
[www.testsite.at/sid#2b2a0c776950][rid#2b2a0e578210][/kav][5] Rule
2b2a0d714550: SecRule
"REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|
XML:/*|!REQUEST_COOKIES:/ISAWPLB/|!REQUEST_COOKIES_NAMES:/ISAWPLB/|!REQU
EST_COOKIES:KAV-WWW|!REQUEST_COOKIES_NAMES:KAV-WWW" " <at> pm ~ !  <at>  # $ % ^ &
* ( ) - + = { } [ ] | : ; \" ' \xc2\xb4 \xe2\x80\x99 \xe2\x80\x98 ` < >"
"phase:2,capture,id:973020,t:none,t:urlDecodeUni,log,pass,setvar:tx.rest
ricted_sqli_char_payloads_%{matched_var_name}=%{matched_var}"

3.) but, when i change the order to:
------------------------------------

SecRuleUpdateTargetById 973020 !REQUEST_COOKIES_NAMES:/ISAWPLB/
SecRuleUpdateTargetById 973020 !REQUEST_COOKIES:/ISAWPLB/
SecRuleUpdateTargetById 973020 !REQUEST_COOKIES:KAV-WWW
SecRuleUpdateTargetById 973020 !REQUEST_COOKIES_NAMES:KAV-WWW

. in 2.6.2 the UpdateTarget !REQUEST_COOKIES:/ISAWPLB/ is missing, in
2.6.1 the UpdateTargets are o.k.:

[06/Oct/2011:11:44:04 +0200]
[www.testsite.at/sid#2b2a0c7e45d8][rid#2b2a0e57a220][/kav/][5] Rule
2b2a0d456ce0: SecRule
"REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|
XML:/*|!REQUEST_COOKIES_NAMES:/ISAWPLB/|!REQUEST_COOKIES:KAV-WWW|!REQUES
T_COOKIES_NAMES:KAV-WWW" " <at> pm ~ !  <at>  # $ % ^ & * ( ) - + = { } [ ] | : ;
\" ' \xc2\xb4 \xe2\x80\x99 \xe2\x80\x98 ` < >"
"phase:2,capture,id:973020,t:none,t:urlDecodeUni,log,pass,setvar:tx.rest
ricted_sqli_char_payloads_%{matched_var_name}=%{matched_var}"

Is this a bug, or i'am doing something wrong?

Thanks,
Friedrich

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: after Upgrade from 2.6.1 to 2.6.2 SecRuleUpdateTargetById does not work as expected

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/