What does ARGS , ARGS_NAMES actually mean in mod_security crs? - regex

What does ARGS , ARGS_NAMES actually mean in mod_security core rule sets?
I have already referred to the Modsecurity2 Apache Reference but I didnt get any clear idea.
Can someone give me a specific idea , preferably with an explanation, what it actually is and how something actually triggers a rule positive like the one below.
The rule below is triggered positive for cases like " x and 6" etc, in general any "and" followed by a digit. I understand what the request filename is, in this case. what i dont understand is what are ARGS and ARGS_NAMES. I need a specific example with reference to the rule below.
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i)\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*[=]|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*[<>]|\band\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')" \
"phase:2,rev:'2.2.5',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959072',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

Example:
http://server.invalid/test.php?pretty_arg=test123&ugly_arg=345test
ARGS_NAMES = "pretty_arg","ugly_arg"
ARGS = "pretty_arg:test123","ugly_arg:345test"
See here:
Reference-Manual Variables
Reference-Manual args
If you want to remove the argument from a specific call, you could use
SecRule REQUEST_FILENAME "#streq /path/to/file.php" "phase:1,id:2001,t:none,nolog,pass,ctl:ruleRemoveTargetById=959072;ARGS:ugly_arg"

Related

Mod_security rule exception for url/arg

An image on our site is flagging a modsec rule I am trying to add a rule exception for only that occurrence. The number at the start of the flagged string is a session number, so I have added a regex to my rule.
I've tried various permutations but had no joy and would appreciate some advice.
Blocked URI:
https://www.website.com/application/login?0--preLoginHeaderPanel-companyLogo
Modsec log snippet:
[file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "65"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1c found within ARGS_NAME:0--preLoginHeaderPanel-companyLogo: 0--preLoginHeaderPanel-companyLogo"]
Attempted exceptions (within apache.conf):
SecRuleUpdateTargetById 942100 !ARGS_NAMES:'[0-9][0-9]?--preLoginHeaderPanel-companyLogo'
Core Rule Set Dev on Duty here. Rule 942100 is one of our 'LibInjection' rules. LibInjection is quite opaque (it's a third party library/operator), so you're correct that a rule exclusion is the way to fix this issue.
The use of regular expressions in this context follows a specific form. They need to be sandwiched inside forward slashes, like so:
SecRuleUpdateTargetById 942100 "!ARGS_NAMES:/^[0-9][0-9]?--preLoginHeaderPanel-companyLogo/"
I added in a starting anchor at the beginning of the regular expression. You might want to think whether anchoring at the end is a good idea, as well.
For more examples and information, we have some great documentation on this here: https://coreruleset.org/docs/configuring/false_positives_tuning/#support-for-regular-expressions

procmail: conditioning on multiple fields

I would like to store e-mails sent by me to others using the "From" field to a folder called "/sent"
So, I use:
:0:
*^From.*user#outlook.com
$HOME/Mail/sent/.
And it used to work fine. However, now I am also forwarding my e-mail from the address:user#outlook.com, what is happending is that the e-mail envelope contains the header: Resent-From.*user#outlook.com so all forwarded e-mail is being saved to the sent folder.
Is it possible to have a double condition. That is something that says that if both Resent-From and From have *user#outlook.com, then it should go to the sent-folder. In other words, is it possible to use a AND or OR or Negation condition.
Update: The provided solution is correct. I was making an error in that I had neglected the ":". Thanks for both the solution and the patience. I also learnt a number of things and about a number of resources, for which also I am grateful,
Thanks!
Procmail by default does exactly what you ask. Multiple conditions will be ANDed together. The first one which fails causes the recipe to be abandoned; if they all succeed, the action is taken.
:0 # second colon removed - don't use lock on directories
* ^From:(.*\<)?user#outlook\.com
* ^Resent-From:(.*\<)?user#outlook\.com
$HOME/Mail/sent/.
Notice also how I modified your regex to tighten it up.
To do NOT, add a ! in front of the condition. To do OR, you can negate both conditions, and take the action in the "else" part (de Morgan's law).
:0
* ! First condition
* ! Other condition
{ } # do nothing
:0E # else, meaning at least one was true
action
Of course, if both conditions are regular expressions, you can simply use the regex or operator.
:0
* First condition|Other condition
action

How to avoid backslash in middle of a regular expression extracted value Load runner and sent in the Request body parameter

In response, an authentication value consists of \ to escape / in parameter so while capturing parameter it is getting "\" in middle as well but in subsequent request need to send with out "\" is there any way to do this in LoadRunner
Example :-
web_reg_save_param_ex(
"ParamName=pValue",
"LB=Value:",
"RB=\"",
SEARCH_FILTERS,
"Scope=Body",
LAST);
Captured Value is AdfjshxnjkAKLDKLJlk\/ghg
Required value is AdfjshxnjkAKLDKLJlk/ghg
How to remove \ this from the value.
Is there any load runner inbuilt functions for this.
I had a similar problem that I solved by storing the correlated parameter as a string variable and then using a replace function to parse and replace the characters I didn't need.
Only problem is I was using JavaScript as my scripting language in VuGen so my code specifics wouldn't help you much. You might see about doing the same thing with C, or if switching to JS is plausible for you, mine looked similar to this:
var str = lr.evalString("{correlated_parameter}")
var corrected_string = str.replace(/\\/g, '');
My code used a different regular expression, but I think I have the syntax right for what you're trying to do, but I haven't tried this exact string of course.
Here's a link to another SO thread with more details on using the replace function.

Nested 'or' restriction in 'and' one leading in unexpected result

i am quite confused about how the Criteria API does build the final query.
Here's some code :
someCriteria.add(
Restrictions.and(
Restrictions.or(Restrictions.gt(a,b),Restrictions.isNull(a)),
Restrictions.ge(d,e)
)
I was expecting something like
SELECT.. FROM...
WHERE (A > B or A IS NULL) AND (D > E)
But when I inspect my criteria entries, I see instead something like :
SELECT.. FROM...
WHERE A > B or A IS NULL AND D > E
thus leading in unexpected result.
I am quite sure I could rewrite the query so that it is no more a problem, but since the application I am about to develop for is based on such queries, I need to understand the problem.
So, anyone could explain why I dot not get expected parentheses around the part of the query generated by the "Restrictions.or(...)"?
Thanks in advance.
PS : Hibernate core 4.3.4.Final
So the problem was not with "Criteria", but with my excessive trust in the debugging tools : the Criteria does actually match the first solution, ie adds parentheses around each generated restriction.
But when I tried to log or watch the criterion entries inside the Criteria object, some parentheses were just not displayed, leading me into misinterpreting my problem.
So the solution to understand the problem was to log the actual request (eg using property "show_sql" in the sessionFactoryBean and setting log4j.logger.org.hibernate.sql to TRACE level).

Finding type of break in icu::BreakIterator

I'm trying to understang how to use icu::BreakIterator to find specific words.
For example I have following sentence:
To be or not to be? That is the question...
Word instance of break iterator would put breaks there:
|To| |be| |or| |not| |to| |be|?| |That| |is| |the| |question|.|.|.|
Now, not every pair of break points is actual word.
In derived class icu::RuleBasedBreakIterator there is a "getRuleStatus()" that returns some kind of information about break, and it gives "Word status at following points (marked "/")"
|To/ |be/ |or/ |not/ |to/ |be/?| |That/ |is/ |the/ |question/.|.|.|
But... It all depends on specific rules, and there is absolutely no documentation to understand it (unless I just try), but what would happend with different locales and languages where dictionaries are used? what happens with backware iteration?
Is there any way to get "Begin of Word" or "End of Word" information like in Qt QTextBoundaryFinder: http://qt.nokia.com/doc/4.5/qtextboundaryfinder.html#BoundaryReason-enum?
How should I solve such problem in ICU correctly?
Have you tried the ICU documentation? It appears to explain everything you are asking about including handling of internationalisation, reverse iteration, and the rules, both default and how to create your own custom set. They also have code snippets to help.