Can't validate ARG in chain rule

Question

I'm trying to evaluate and block GET/POST requests that don't have a given ARG for a certain URIs.

The following rule doesn't validate the "!@eq 1" line

(REQUEST_URI and REQUEST_HEADERS work as expected when tested individually)

SecRule REQUEST_URI "(?i:(jwtpoc))" "phase:1,id:999955,block,log,deny,status:508,msg:'IP: %{REMOTE_ADDR} GET/POST test URI',chain"
SecRule &ARGS:cualquiera "!@eq 1" "chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0"

I can validate both "@eq1" and "!@eq1" if I write a SecRule like the following one:

SecRule &ARGS:cualquiera "@eq 1" "id:999957,phase:2,pass,log,capture,msg:'param cualquiera found: %{MATCHED_VAR}'"

How can rule id 999955 achieve this goal?

Examples

SecRule REQUEST_URI "(?i:(jwtpoc))" "phase:2,id:999955,block,log,deny,status:508,msg:'IP: %{REMOTE_ADDR} GET/POST test URI',chain"
  SecRule &ARGS:cualquiera "@eq 1" "chain"
   SecRule &REQUEST_HEADERS:Referer "@eq 0"

curl --form cualquiera=ANY http://foo.bar/jwtpoc.showcaller [ OK ]

[22/Mar/2017:17:23:50 --0400] [foo.bar/sid#1ab39b8][rid#7f518c014e60][/jwtpoc.showcaller][1] Access denied with code 508 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/moduleconf/myrules/test/cp_rules.conf"] [line "2"] [id "999955"] [msg "IP: 10.10.10.145 GET/POST test URI"]

But for this one:

curl --referer myReferer http://beta.reservhotel.com/win/owa/jwtpoc.showcaller [ NOTOK ]

the rule SecRule &ARGS:cualquiera "@eq 1" "chain" is not considered and this action is not being blocked

Thanks!

Barry Pollard · Answer 1 · 2017-03-26T15:36:02.190

0

POST arguments are not available in phase 1. So change your chained rule 999955 to be a phase 2 rule instead and it should work.

You also are misunderstanding how chained rules work. They work as an AND argument. So ALL rules must match to work. That is your first rule in your question says block jwtpoc requests which also have no cualquiera argument and also have no referrer.

You're second attempt then remove the not part of the cualquiera argument test. So it looks for jwtpoc requests which have an cualquiera argument and also have no referrer. Your first example matches all three rules, but your second example doesn't (as the middle rule doesn't match).

If you want to fail all jwtpoc requests without a cualquiera argument or a referrer then you need to write two rules for this OR statement. Like this:

#Rule 9999550 to block jwtpoc requests with a cualquiera argument
SecRule REQUEST_URI "(?i:(jwtpoc))" "phase:2,id:9999550,block,log,deny,status:508,msg:'IP: %{REMOTE_ADDR} GET/POST test URI',chain"
  SecRule &ARGS:cualquiera "!@eq 1"

#Rule 9999551 to block jwtpoc requests with no referrer
SecRule REQUEST_URI "(?i:(jwtpoc))" "phase:2,id:9999551,block,log,deny,status:508,msg:'IP: %{REMOTE_ADDR} GET/POST test URI',chain"
  SecRule &REQUEST_HEADERS:Referer "@eq 0"

edited Mar 26 '17 at 15:36

answered Mar 22 '17 at 17:43

Barry Pollard

40,655
7
76
92

I changed it from phase:1 to phase:2 but the behavior it's the same. – Daniel Vukasovich Mar 22 '17 at 20:06
Can you edit your question to give examples of requests that should be caught by the rule but are failing to be caught? Also can you turn on Debug logging and see what the request shows in the Debug logs? – Barry Pollard Mar 22 '17 at 20:20
I added #2 examples for the same rule, one is being executed as expected and the other not. – Daniel Vukasovich Mar 23 '17 at 01:57
The second example doesn't have a cualquiera argument? So why would it match when you say you need it to have one of these arguments to be considered? – Barry Pollard Mar 23 '17 at 03:31
Because it's the condition I want to block, I tried using !ARGS:cualquiera also but it doesn't work either. In rule id:999955 if you remove the last condition &REQUEST_HEADERS:Referer then the rule will work OK, so the problem arises when the chain is composed with these #3 rules. – Daniel Vukasovich Mar 23 '17 at 14:33
So do you want to block when it contains a cualquiera argument? Or when it doesn't contain a cualquiera argument? Or both? Also you are passing a referrer in your second example, and then complaining that the rule to check if there is no referer fails to fire when a referer is given. I'm very, very confused as to what you want your rule to do. As, it would appear, is ModSecurity... – Barry Pollard Mar 23 '17 at 15:00
The rule id 999955 it's an AND condition, and should block all URLs that contains "jwtpoc" but doesn't have "ARG:cualquiera" and/or "Referer". The first example is blocked as expected (has no Referer) but the second example isn't being blocked but it should be blocked as it has no ARG:cualquiera . – Daniel Vukasovich Mar 23 '17 at 16:12
Updated answer now I think I know what you're asking. Let me know if that still doesn't work! – Barry Pollard Mar 26 '17 at 15:36

Can't validate ARG in chain rule

1 Answers1