[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: [mod-security-users] Advice on Whitelisting JSON ARGS_NAMES
From: Neha Chriss <nchriss () gmail ! com>
Date: 2015-07-22 23:43:01
Message-ID: CALtuTm1y6+XLQz_MQYd9=B7xBknmXVWbv2rxHZDgbV8xHyN9Eg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I want to whitelist alerts for a json formatted ARG_NAMES, and I'm not
quite sure what the best method is. Here's my current rule:
SecRule ARGS_NAMES:"(\{\"(data)\"\:)((\{\"[a-z_]+\"\:).*)" "(.*)"
"id:308,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=.*;ARGS_NAMES:(\{\"(data)\"\:)((\{\"[a-z_]+\"\:).*)"
As you can see it's a bit unwieldy, and it doesn't seem to match for all
cases/combinations of fields. The second requirement I have is to restrict
this via URI, in this case '/new/data'.
Any comments appreciated.
Here's an alert below:
2015-07-22T22:02:03.61377 [Wed Jul 22 22:02:03.613737 2015] [:error] [pid
14702:tid 140281273739008] [client 10.72.2.5] ModSecurity: Access denied
with code 403 (phase 2). Pattern match "(.*)" at TX:981257-Detects MySQL
comment-/space-obfuscated injections and backtick
termination-OWASP_CRS/WEB_ATTACK/SQLI-ARGS_NAMES:{"data":{"categories":[{"uuid":"10009 \
","name":"Books","folder":"School"}],"category_ids":["188"],"transaction_ids":["ed529b \
9f47ee-ab23-5b98-4404-d59a86b9","ed529b9f47ee-ab23-5b98-4404-d59a86b9","ed529b9f47ee-ab23-5b98-4404-d59a86b9"]}}.
[file
"/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"]
[line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total
Score: 20, SQLi=4, XSS=0): Last Matched Message: 981243-Detects classic SQL
injection probings 2/2"] [data "Last Matched Data: ,\\x22name\\x22:"]
[hostname "host.name.com"] [uri "/new/data"] [unique_id
"VbAS2wobA80AADluSjYAAADw"]
[Attachment #5 (text/html)]
<div dir="ltr">I want to whitelist alerts for a json formatted ARG_NAMES, and I'm \
not quite sure what the best method is. Here's my current rule:<br><br>SecRule \
ARGS_NAMES:"(\{\"(data)\"\:)((\{\"[a-z_]+\"\:).*)" \
"(.*)" "id:308,phase:2,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=.*;A \
RGS_NAMES:(\{\"(data)\"\:)((\{\"[a-z_]+\"\:).*)"<div><br></div><div>As \
you can see it's a bit unwieldy, and it doesn't seem to match for all \
cases/combinations of fields. The second requirement I have is to restrict this via \
URI, in this case '/new/data'.<br><br>Any comments \
appreciated.<br><br><br>Here's an alert \
below:<br><br><br>2015-07-22T22:02:03.61377 [Wed Jul 22 22:02:03.613737 2015] \
[:error] [pid 14702:tid 140281273739008] [client 10.72.2.5] ModSecurity: Access \
denied with code 403 (phase 2). Pattern match "(.*)" at TX:981257-Detects \
MySQL comment-/space-obfuscated injections and backtick \
termination-OWASP_CRS/WEB_ATTACK/SQLI-ARGS_NAMES:{"data":{"categories&q \
uot;:[{"uuid":"10009","name":"Books","fol \
der":"School"}],"category_ids":["188"],"transa \
ction_ids":["ed529b9f47ee-ab23-5b98-4404-d59a86b9","ed529b9f47ee-a \
b23-5b98-4404-d59a86b9","ed529b9f47ee-ab23-5b98-4404-d59a86b9"]}}. \
[file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf"] \
[line "26"] [id "981176"] [msg "Inbound Anomaly Score \
Exceeded (Total Score: 20, SQLi=4, XSS=0): Last Matched Message: 981243-Detects \
classic SQL injection probings 2/2"] [data "Last Matched Data: \
,\\x22name\\x22:"] [hostname "<a \
href="http://host.name.com">host.name.com</a>"] [uri "/new/data"] \
[unique_id "VbAS2wobA80AADluSjYAAADw"]<br></div></div>
------------------------------------------------------------------------------
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic