Using a regular expression in a ruleRemoveTargetById command

109 views
Skip to first unread message

jarofi

unread,
Jun 20, 2023, 10:26:15 AM6/20/23
to ModSecurity Core Rule Set project
Hello MSCRS project,

We use the Web Application Firewall based on ModSecurity with Core Rule Set and we need to define exception for some URI contained some cookies. Unfortunately, the name of cookies contains many suffixes, therefore we would like to use regular expression in the definition of the exception. I prepared jsessionid.conf file:

SecRule REQUEST_URI "@rx ^/.*" \

    "id: 1001,\

    phase:1,\

    t:none,\

    pass,\

    nolog,\

    msg:'Exception 1001,\

    ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:/^JSESSIONID_.*/"


But after this change the server instance do not start with the error:

Error in configuration file: Rules error. File: …/shared/waf/rules/jsessionid.conf. Line: 8. Column: 67. Expecting an action, got:  ^JSESSIONID_.*/"

Is there some syntax error or the regular expression in ruleRemoveTargetById cannot be used? Thank you very much in advance for your help.

Best regards,

Jarda

Christian Folini

unread,
Jun 21, 2023, 5:04:22 AM6/21/23
to jarofi, ModSecurity Core Rule Set project
Hey Jarda,

It's most unfortunate, but the ruleRemoveTargetById does not allow for
regular expressions, you will have to disable this for all the cookies, thus
"
...,ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES"

What can you do to minimaze the fallout:
- Limit the URI this RE applies to
- Re-create 942100 - it's really an important rule - for example as
842100 and set the other relevant cookies as explicit targets.
So non-cookie coverage in 942100 and named cookies covered in 842100.

Sorry we do not have a better solution, but it's really a ModSecurity
shortcoming.

Best,

Christian
> --
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/74c7ca84-eb0c-4f2a-9c0f-41453c7d521cn%40owasp.org.

Reply all
Reply to author
Forward
0 new messages