[Owasp-modsecurity-core-rule-set] few questions in regards to rules

Tzury Bar Yochay tzury.by at reguluslabs.com
Thu Dec 8 20:56:53 EST 2011


thank you very much Rian for all clarifications, there were some other
typos I have found along the files, shall I spot them all?


On Thu, Dec 8, 2011 at 11:25 PM, Ryan Barnett <RBarnett at trustwave.com>wrote:

>
>
> On 12/6/11 9:31 PM, "Tzury Bar Yochay" <tzury.by at reguluslabs.com> wrote:
>
> >While going through rule files i have gathered few questions which I
> >will appreciate if someone can help me with them.
> >
> >1) I have seen several cases where setvar is stated without the right
> >part, e.g.
> >
> >        SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)"
> >"capture,t:none,setvar:!tx.%{tx.1}"
> >
> >   I wonder what it means, as normally, set is in the form of x = y,
> >and not x, or !x in this case.
>
> This is the syntax to remove a TX variable entirely.
>
> >
> >2) There seems to be a typo at line:
> >
> >        SecRule REQUEST_LINE "^GET /$"
> >"chain,phase:2,id:981020',t:none,pass,nolog"
> >
> >    There is a trailing apostrophe (') after the id
>
> There actually should have been a single quote at the beginning of the id
> data like this - id:'981020'.  I fixed it locally and it will be updated
> in SNV soon.
>
>
> >
> >3) Few days ago I asked the following question but yet not got answer for
> >    When I see a rule such as
> >
> >        SecRule ARGS:&category "(?i:SELECT.+FROM)"
> >"ctl:auditLogParts=+..."
> >
> >    I wonder what is the role of the ampersand, before the category, so
> >    far I know, '&' means counting operatoration and usually, it follows
> >    by a numeric operation, e.g. @eq, @ge and alike.
> >
> >    However, this is a case where I see & which followed by an implicit
> >'@rx'
>
> This was a bug in the snort2modsec.pl script.  The & should have been
> removed when creating the SecRule.  I will take a look.
>
> -Ryan
>
> >
> >
> >Thanks in advance for your help,
> >Tzury
> >_______________________________________________
> >Owasp-modsecurity-core-rule-set mailing list
> >Owasp-modsecurity-core-rule-set at lists.owasp.org
> >https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> >
>
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20111209/2fdf5633/attachment.html 


More information about the Owasp-modsecurity-core-rule-set mailing list