Re: Re: ModSecurity and custom headers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I also tried for example:

SecDefaultAction "phase:2,deny,log,status:406,setenv:'env_modsecblk=%{rule.msg}'"
<If "'%{env_modsecblk}e' =~ /[a-zA-Z]/">
  Header always set X-ModSec-Block %{env_modsecblk}e env=env_modsecblk
</If>

But that also fails with:

AH00526: Syntax error on line 21 of /usr/local/apache/conf/modsec2.conf:
Cannot parse condition clause: Variable 'env_modsecblk' does not exist


On Sat, Mar 11, 2017 at 8:06 AM, Andrei <lagged@xxxxxxxxx> wrote:
Hello again :)

So I went to the modsec lists, figured out how to get the environment variable set with the rule message by default for all rules, then push the 'msg' to a custom X header from there. For example:

SecDefaultAction "phase:2,deny,log,setenv:'env_msecblk=%{rule.msg}'"
Header always set X-ModSec-Block %{env_msecblk}e env=env_msecblk

However, I soon found that empty X-ModSec-Block headers were being set, due to the empty "env_msecblk" environment variable being set by ModSecurity in cases where disruptive rules weren't triggered. Reading over the header directive docs [1], I noticed that the header will be set only if the environment variable exists, but doesn't check if it's empty. So I then tried:

Header always set X-ModSec-Block %{env_modsecblk}e "expr=%{env_modsecblk}e =~ m#[a-zA-Z]#"

The above unfortunately failed with: Can't parse envclause/_expression_: syntax error, unexpected T_ID: Variable 'env_modsecblk' does not exist

To get around that, I took a "dirty" clean-up approach:

Header always set X-ModSec-Block %{env_modsecblk}e env=env_modsecblk
<If "! %{HTTP:X-ModSec-Block} =~ /[a-zA-Z]/">
    Header always unset X-ModSec-Block
</If>

So I my question at this point is; how do I conditionally set the custom "X-ModSec-Block" header to the value of the "env_modsecblk" environment variable, if that variable exists, and isn't blank. Thanks again everyone :)

1 - http://httpd.apache.org/docs/current/mod/mod_headers.html#header




On Wed, Mar 1, 2017 at 3:36 AM, Luca Toscano <toscano.luca@xxxxxxxxx> wrote:
Hi Andrei,

2017-03-01 6:54 GMT+01:00 Andrei <lagged@xxxxxxxxx>:
Is there a different list I should be asking this on?

I would start from https://modsecurity.org/help.html (Mod Security is not part of the httpd release since it is a third party module). 

Hope that helps!

Luca



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux