Comments (9)
It is great to read that this bug is fixed. At least in theory. Considering that this fix only exists in modsec3 which is a completely different product (quote from the mainpage: »Libmodsecurity is a complete rewrite of the ModSecurity platform« »It is no longer just a module.«) and especially that there is no connector for apache (https://github.com/SpiderLabs/ModSecurity-apache »This project should be considered under development and not production ready. The functionality is not complete and so should not be used. With Apache HTTP Server, the recommended version of ModSecurity is v2.9.x.«), in practice I consider it misleading to mark this bug fixed for most users of modsec.
Please reopen this bug and fix it in modsec2.
(For the future: please consider finding a new name, not just increasing the version number, if you create a new product.)
from modsecurity.
SecRuleUpdateTargetById runs before the merge of contexts. So it works under VirtualHost but the rule should be present in the same context:
<VirtualHost :80>
#include "rules/.conf"
SecRuleUpdateTargetById 973020 !REQUEST_COOKIES
...
We need to improve it by making this directive run after the merge.
Consider use ctl:removeTargetById
Thanks
from modsecurity.
Any news on this?
This is a major ennoyance
from modsecurity.
The same applies to "SecRuleUpdateTargetByTag", which also does not work inside a VirtualHost scope
from modsecurity.
Any plan to fix this?
Using ctl:removeTargetById is not always possible, especially in a shared environment where you can only add rules after the default ones.
The behavior should be, for any location:
- remove the rule with specified id
- create a new version of that rule (same id) with the exception
from modsecurity.
Main problem:
ctl:removeTargetById doesn't know how to work with regex . For instance:
ctl:ruleRemoveTargetByID=981248;ARGS:widget-text[4][text] - OK
ctl:ruleRemoveTargetByID=981248;ARGS:/^widget/ - BAD
from modsecurity.
This situation not problem, need trick with chains. However so as ctl action doesn't uses macros, you can make so:
# For -> ARGS_NAMES:columns[numbers][text][text]
SecRule REQUEST_URI "@rx ^/admin/path.*" \
"id:'1013',phase:1,t:none,log,chain,\
msg:'MATCHED_VAR_NAME - %{MATCHED_VAR_NAME}'"
SecRule ARGS_NAMES "@rx columns\[[0-9]+\]\[[a-z]+\]\[[a-z]+\]" "ctl:ruleRemoveByID=981173"
If add some small patch and make recompilation of module, then results may be more restrictive. In this case we could make exception for each MACHED_VAR_NAME exactly.
SecRule ARGS_NAMES "@rx columns\[[0-9]+\]\[[a-z]+\]\[[a-z]+\]" \
"ctl:ruleRemoveTargetByID=981173;%{MATCHED_VAR_NAME}"
best regards, Andrei
upwork.link
from modsecurity.
This situation not problem, need trick with chains. However so as ctl action doesn't uses macros, you can make so:
# For -> ARGS_NAMES:columns[numbers][text][text] SecRule REQUEST_URI "@rx ^/admin/path.*" \ "id:'1013',phase:1,t:none,log,chain,\ msg:'MATCHED_VAR_NAME - %{MATCHED_VAR_NAME}'" SecRule ARGS_NAMES "@rx columns\[[0-9]+\]\[[a-z]+\]\[[a-z]+\]" "ctl:ruleRemoveByID=981173"
If add some small patch and make recompilation of module, then results may be more restrictive. In this case we could make exception for each MACHED_VAR_NAME exactly.
SecRule ARGS_NAMES "@rx columns\[[0-9]+\]\[[a-z]+\]\[[a-z]+\]" \ "ctl:ruleRemoveTargetByID=981173;%{MATCHED_VAR_NAME}"
best regards, Andrei
upwork.link
This does not work in ModSecurity 2.9 and Apache. Am able to log a %{MATCHED_VAR} and %{MATCHED_VAR_NAME}, so it detects the array fine, but ctl does not appear to be taking %{MATCHED_VAR_NAME} or %{MATCHED_VAR} when it's passed to it. The only solution was moving rules to the global config outside the VirtualHost. Really bad. Not impressed with Modsecurity team, so many open issues and bugs like this for years. It blows my mind that ctl:ruleRemoveTargetById does not simply accept regex in the target name - most websites make use of arrays and other dynamically named REQUEST variables.
from modsecurity.
SecRuleUpdate*ById is no longer an issue with version 3.0.
from modsecurity.
Related Issues (20)
- SanitiseArg does not work in RequestBody
- SanitiseArg does not work in RequestBody HOT 5
- malloc error when executing make (debian11, nginx) HOT 11
- SecAuditLogFormat set to JSON prints logs in native format aswell HOT 7
- Debian package dependencies are broken HOT 10
- base64decode behaviour HOT 3
- NULL pointer checks & compiler warnings HOT 1
- SecGeoLookupDb /etc/nginx/geoip/GeoLite2-City.mmdb crashes ingress-controller if it cannot be read HOT 9
- Enhancement: Improve log statement for SecArgumentsLimit issue instead of JSON parsing error HOT 4
- SecRuleScript actions always considered disruptive HOT 1
- libmodsecurity3: Request body is not logged HOT 10
- How to disable some logs? HOT 27
- Annoying DNS queries with @rbl operator HOT 18
- Feature request: Limit the number of rules processed per request HOT 3
- SecAuditLogPart 'E' is logged even if it is not configured HOT 7
- Error: Could not set variable "ip.brute_force_counter" and Could not set variable "ip.xmlrpc_counter" as the collection does not exist. HOT 6
- Is it possible to change the SecAuditLogStorageDir variable so that the logs are sorted by vhost?
- Lua installed, but Modsecurity still dont work with it HOT 2
- Phasing out SecStatusEngine HOT 2
- Regular Expression Failure Triggers `!@rx` HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from modsecurity.