<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>Windows Rule question</title>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:595.3pt 841.9pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:786698761;
mso-list-type:hybrid;
mso-list-template-ids:1379828942 2024439216 67895299 67895301 67895297 67895299 67895301 67895297 67895299 67895301;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:\F0F0;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;
mso-fareast-font-family:"Times New Roman";
mso-bidi-font-family:Arial;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style>
</head>
<body lang=FR link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>Hi there,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>Actually, following my
precedent mail, I’ve got a more global question :<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>Many rules are using “\x2e”
or “\x20” or other encoded characters in there regexp…<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>I thought that
mod_security was decoding URL-encoded characters, so what’s the use of
such regexp ? Why aren’t you using simply “.” or “ “
?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>As a matter of fact, if I
look at the mod_security debug log, here is what I see :<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [2] Detection phase starting (request 8a69c20): "GET
/toto%2Eis%20a%2ehacker.html HTTP/1.0"<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [9] Stored msr (8a6b0a8) in r (8a69c20)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [4] Normalised REQUEST_URI: "/toto.is a.hacker.html"<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [2] Parsing arguments...<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [3] Content-Type is not available<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [4] read_post_payload: this request has no body (0)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [4] Time #1: 4082685 usec<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [2] Checking signature "^POST$" at REQUEST_METHOD<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [4] Checking against "GET"<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [9] Check took 7 usec<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [9] Signature check returned 0<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [9] Chained rule and no match, find the next rule not in chain<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [2] Checking signature "!^$" at HEADER(Transfer-Encoding)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [4] Checking against ""<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [9] Check took 4 usec<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [9] Signature check returned 0<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [2] Checking signature "!HTTP\\/(0\\.9|1\\.0|1\\.1)$" at
THE_REQUEST<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>[08/Dec/2005:10:31:20
+0100] [4] Checking against "GET /toto.is a.hacker.html HTTP/1.0"<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>Etc..<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>The URL-encoded character
are indeed decoded…<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>Can someone explain me
why such URL-encoded characters are still used in regexp ? This is quite
confusing, as “\x2easp” (which seems a legitimate rule at a first
glance), is in fact a “.asp” rule (which is stupid) !<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>Thank you very much for
your answer.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>Regards,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'>Thomas.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-GB
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>De :</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> modsecurity-bounces@gotroot.com
[mailto:modsecurity-bounces@gotroot.com] <b><span style='font-weight:bold'>De
la part de</span></b> <st1:PersonName w:st="on">CASTELLE Thomas</st1:PersonName><br>
<b><span style='font-weight:bold'>Envoyé :</span></b> mercredi 7 décembre
2005 10:11<br>
<b><span style='font-weight:bold'>À :</span></b> modsecurity@gotroot.com<br>
<b><span style='font-weight:bold'>Objet :</span></b> [Modsecurity] Windows
Rule question</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p><font size=2 face="Times New Roman"><span style='font-size:10.0pt'>Hello,</span></font>
<o:p></o:p></p>
<p><font size=2 face="Times New Roman"><span style='font-size:10.0pt'>I am
using the last mod_security rules and it seems that ALL my asp</span></font> <br>
<font size=2><span style='font-size:10.0pt'>requests match this rule :</span></font>
<o:p></o:p></p>
<p><font size=2 face="Times New Roman"><span style='font-size:10.0pt'># WEB-IIS
%2E-asp access</span></font> <br>
<font size=2><span style='font-size:10.0pt'>SecFilterSelective REQUEST_URI
"\x2easp" log,pass</span></font> <o:p></o:p></p>
<p><font size=2 face="Times New Roman"><span style='font-size:10.0pt'>Is it a
bogus rule ?</span></font> <o:p></o:p></p>
<p><font size=2 face="Times New Roman"><span style='font-size:10.0pt'>Thanks in
advance,</span></font> <o:p></o:p></p>
<p><font size=2 face="Times New Roman"><span style='font-size:10.0pt'>Thomas.</span></font>
<o:p></o:p></p>
</div>
</body>
</html>