6
PROBLEMRULE #1; SecRule REQUEST_URI "^/(|(.*)/)(lpt1|lpt2|lpt3|lpt4)(/|\.|\?|$)" "t:none,t:htmlEntityDecode,t:lowercase,t:removeWhitespace,block,msg:'X',id:'1000'"
PROBLEMRULE #2; SecRule REQUEST_URI "^(.*)//(.*)$" "t:none,t:removeWhitespace,block,msg:'X',id:'1001'"

// I also tried those, but no success.
SecRule REQUEST_URI "//"
SecRule REQUEST_URI "^/(.*)/(lpt1|lp...

These 2 things won't work as expected. Other rules are working fine. I want to block a request something like:

// (too many slash, NOT blocked)
/////////// (too many slash, NOT blocked)
/lpt1 (Apache returns 403, NOT from modsec. Error log: "Forbidden: (web-dir)/lpt1 doesn't point to a file or directory")
/lpt1/blah (Apache returns 403, NOT from modsec. "doesn't point to a file or directory")
/somedir/lpt4.txt (Same as above)
/somedir/lpt4 (Same as above)
/somedir/////// (* SUCCESSFULLY blocked)

I believe these regexpression is O.K., so I really want to know why mod_security2 won't block these requests. I want to block using mod_sec2, not apache.

Environment: Windows Test Web server | mod_sec2 | Apache 2.4

To moderators:
Sorry for creating another question,
because my email has been hacked and I lost my password.
Please delete http://security.stackexchange.com/questions/47000/why-these-2-regexp-wont-work-as-expected
I use THIS ONE to continue question.

To before question:

The REQUEST_URI variable doesn't include the domain or the protocol. Did you mean to add more to the end of that URL?

Yes, I know. I want mod_sec2 to deny "GET ////////"(shown in above examples). If I hit a browser hxxp: // something.mysite.com////////// REQUEST_URI become "///////", so id:1001 should be applied. Am I right?

Is the rule ID logged for the request that is successfully blocked by Mod Security?

If the mod_security rule was successfully applied, I can see mod_sec error in my apache's errorlog(including hit ID number, of course.)

"/somedir/lpt4" and other thing, are block by apache, not by mod_security. (No logs from mod_security)

LTP1?

http://www.hanselman.com/blog/NamingAFileAReservedNameInTheWindowsVistaOperatingSystem.aspx I want mod_sec to deny these ugly internal commands, so I create a rule(id:1000).

P.S. "RewriteRule" is not an option to me. I want to use mod_sec2 to do this.

mcgyver5
  • 6,807
  • 2
  • 24
  • 45
Krey
  • 61
  • 3

1 Answers1

1
SecRule REQUEST_URI "^/(|(.*)/)(lpt1|lpt2|lpt3|lpt4)(/|\.|\?|$)" "t:none,t:htmlEntityDecode,t:lowercase,t:removeWhitespace,block,msg:'X',id:'1000'

There can be two problems with these rules.

  1. HTTP request Transformation functions i.e t:htmlEntityDecode,t:lowercase,t:removeWhitespace should be in compliance with actual encoding scheme used in HTTP request. Modsecurity transform the input and apply the regular expression for each transformation.
  2. You are using block as a disruptive action, problem with block that it uses SecDefaultAction value that can be pass, deny,drop. Therefore block may not be blocking the malicious HTTP request and replacing block with deny may solve the problem.
Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61