LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   except in mod_security2 rule (https://www.linuxquestions.org/questions/linux-security-4/except-in-mod_security2-rule-919467/)

tincboy 12-19-2011 07:04 AM
except in mod_security2 rule
 
I want to make a mod_security2 rule which blocks "select" word in http packet but not "selected"
I've used the rule below but it doesn't act as I like



Code:
SecRule REQUEST_URI|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML "@pm
select !selected"
Any experiance in doing so?

agentbuzz 12-19-2011 01:25 PM
Mod Security rule for negation
 
tincboy,
How about this:
Code:
SecRule !ARGS selected
SecRule REQUEST_URI|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML "@pm select" deny

tincboy 12-19-2011 11:17 PM
Thanks agentbuzz
The rule you suggested didn't work

Valery Reznic 12-20-2011 04:12 AM
What about following:

Code:
SecRule REQUEST_URI|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML "@pm
select[^e]"

tincboy 12-21-2011 04:29 AM
Thanks Valery,
Your sugested rule didn't work either,
Do you know what's for that @pm in rule?

Valery Reznic 12-21-2011 04:43 AM
Quote:
Originally Posted by tincboy (Post 4555101)
Thanks Valery,
Your sugested rule didn't work either,
Do you know what's for that @pm in rule?
He. It was in you rule in the first place, so it's you who supposed to know it :)

I think @pm specified node (or attribute) in XML where to look for the specified keyword. May be rule should looks like:

Code:
SecRule REQUEST_URI|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML "@pm" select[^e]
Please note different from the previous post placement of quotes


or even just
Code:
SecRule REQUEST_URI|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML  select[^e]
I am too lazy to check what modsecurity's rule exact syntax is :(

agentbuzz 12-21-2011 09:48 AM
@pm meaning
 
tincboy,
@pm is Pattern match! It's an alternative to the "rx" (regular expression) operator.

Valery Reznic 12-21-2011 02:56 PM
Quote:
Originally Posted by agentbuzz (Post 4555336)
tincboy,
@pm is Pattern match! It's an alternative to the "rx" (regular expression) operator.
Thanks. Now I read it myself. In my rule needed rx operator (or no operator at all)


All times are GMT -5. The time now is 08:04 AM.