LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page except in mod_security2 rule
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-19-2011, 07:04 AM   #1
tincboy
Member
 
Registered: Apr 2010
Posts: 36

Rep: Reputation: 0
except in mod_security2 rule

I want to make a mod_security2 rule which blocks "select" word in http packet but not "selected"
I've used the rule below but it doesn't act as I like



Code:
SecRule REQUEST_URI|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML "@pm 
select !selected"
Any experiance in doing so?
 
Old 12-19-2011, 01:25 PM   #2
agentbuzz
Member
 
Registered: Oct 2010
Location: Texas
Distribution: Debian, Ubuntu, CentOS, RHEL
Posts: 131

Rep: Reputation: 25
Mod Security rule for negation
tincboy,
How about this:
Code:
SecRule !ARGS selected
SecRule REQUEST_URI|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML "@pm select" deny
 
Old 12-19-2011, 11:17 PM   #3
tincboy
Member
 
Registered: Apr 2010
Posts: 36

Original Poster
Rep: Reputation: 0
Thanks agentbuzz
The rule you suggested didn't work
 
Old 12-20-2011, 04:12 AM   #4
Valery Reznic
ELF Statifier author
 
Registered: Oct 2007
Posts: 676

Rep: Reputation: 137Reputation: 137
What about following:

Code:
SecRule REQUEST_URI|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML "@pm 
select[^e]"
 
Old 12-21-2011, 04:29 AM   #5
tincboy
Member
 
Registered: Apr 2010
Posts: 36

Original Poster
Rep: Reputation: 0
Thanks Valery,
Your sugested rule didn't work either,
Do you know what's for that @pm in rule?
 
Old 12-21-2011, 04:43 AM   #6
Valery Reznic
ELF Statifier author
 
Registered: Oct 2007
Posts: 676

Rep: Reputation: 137Reputation: 137
Quote:
Originally Posted by tincboy View Post
Thanks Valery,
Your sugested rule didn't work either,
Do you know what's for that @pm in rule?
He. It was in you rule in the first place, so it's you who supposed to know it

I think @pm specified node (or attribute) in XML where to look for the specified keyword. May be rule should looks like:

Code:
SecRule REQUEST_URI|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML "@pm" select[^e]
Please note different from the previous post placement of quotes


or even just
Code:
SecRule REQUEST_URI|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML  select[^e]
I am too lazy to check what modsecurity's rule exact syntax is
Last edited by Valery Reznic; 12-21-2011 at 04:44 AM.
 
Old 12-21-2011, 09:48 AM   #7
agentbuzz
Member
 
Registered: Oct 2010
Location: Texas
Distribution: Debian, Ubuntu, CentOS, RHEL
Posts: 131

Rep: Reputation: 25
@pm meaning
tincboy,
@pm is Pattern match! It's an alternative to the "rx" (regular expression) operator.
 
Old 12-21-2011, 02:56 PM   #8
Valery Reznic
ELF Statifier author
 
Registered: Oct 2007
Posts: 676

Rep: Reputation: 137Reputation: 137
Quote:
Originally Posted by agentbuzz View Post
tincboy,
@pm is Pattern match! It's an alternative to the "rx" (regular expression) operator.
Thanks. Now I read it myself. In my rule needed rx operator (or no operator at all)
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Snort - DynamicPlugin: Rule [##] not enabled in configuration, rule will not be used mhollis Linux - Software 3 08-29-2011 06:06 PM
Apache Server mod_security2 - problem with googlebot dlugasx Linux - Server 0 05-19-2009 04:38 AM
Mod_security2 and gotroot config question jpmad4it Linux - Security 0 01-19-2009 09:31 AM
mod_security2 buffering upload progress bar hoobastank68 Linux - Server 1 08-11-2008 06:11 PM
SecRule and mod_security2 mtruong Linux - Security 5 11-03-2006 03:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:14 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration