Discussion:
[mod-security-users] When to use @strmatch
J Doe
2017-03-02 21:52:04 UTC
Permalink
Hello,

I have two questions regarding @strmatch in ModSecurity 2.9.1.

According to the ModSecurity wiki, @strmatch performs a "single pattern matching operator". I take that to mean that I can specify one "pattern" for it to match against as in the example in the wiki:

# Detect suspicious client by looking art the user agent identification
SecRule REQUEST_HEADERS:User-Agent "@strmatch WebZIP" "id:177"

Does this mean that it will attempt to match "WebZIP" to any portion of the User-Agent string (so User-Agent strings of "WebZip" and "WebZip 2000" would match), as opposed to the @streq operator, which would look for "WebZIP" as the exact string (ie: User-Agent is only "WebZIP") ?

If this is the case, the wiki notes that @strmatch uses the Boyer-Moore-Horspool algorithm which is "...much better than a regular expression."

Does this mean that if I am matching on a single pattern I want to ALWAYS use @strmatch over @rx ?

Thanks



I note in the ModSecurity wiki that @strMatch performs a "single pattern matching operator". I am assuming that means

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
mod-security-users mailing list
mod-security-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Robert Paprocki
2017-03-03 00:23:17 UTC
Permalink
Hi,
Post by J Doe
Hello,
matching operator". I take that to mean that I can specify one "pattern"
# Detect suspicious client by looking art the user agent identification
Does this mean that it will attempt to match "WebZIP" to any portion of
the User-Agent string (so User-Agent strings of "WebZip" and "WebZip 2000"
"WebZIP" as the exact string (ie: User-Agent is only "WebZIP") ?
Correct. Given the following curl:

curl -H "User-Agent: hi WebZIP world" localhost

And the rule example you provided, see the following from the debug log:

[02/Mar/2017:16:18:06 --0800]
[localhost/sid#7f653d12ab40][rid#7f653d0c60a0][/][5]
Rule 7f653d1364a8: SecRule "REQUEST_HEADERS:User-Agent" "@strmatch WebZIP"
"phase:2,log,auditlog,pass,id:177"
[02/Mar/2017:16:18:06 --0800]
[localhost/sid#7f653d12ab40][rid#7f653d0c60a0][/][4]
Transformation completed in 0 usec.
[02/Mar/2017:16:18:06 --0800]
[localhost/sid#7f653d12ab40][rid#7f653d0c60a0][/][4]
Executing operator "strmatch" with param "WebZIP" against
REQUEST_HEADERS:User-Agent.
[02/Mar/2017:16:18:06 --0800]
[localhost/sid#7f653d12ab40][rid#7f653d0c60a0][/][9]
Target value: "hi WebZIP world"
[02/Mar/2017:16:18:06 --0800]
[localhost/sid#7f653d12ab40][rid#7f653d0c60a0][/][4]
Operator completed in 0 usec.
[02/Mar/2017:16:18:06 --0800]
[localhost/sid#7f653d12ab40][rid#7f653d0c60a0][/][2]
Warning. Pattern match "WebZIP" at REQUEST_HEADERS:User-Agent. [file
"/etc/modsecurity/modsecurity.conf"] [line "219"] [id "177"]
[02/Mar/2017:16:18:06 --0800]
[localhost/sid#7f653d12ab40][rid#7f653d0c60a0][/][4]
Rule returned 1.
[02/Mar/2017:16:18:06 --0800]
[localhost/sid#7f653d12ab40][rid#7f653d0c60a0][/][9]
Match -> mode NEXT_RULE.

The debug log is a pretty great thing :D
Post by J Doe
Boyer-Moore-Horspool algorithm which is "...much better than a regular
expression."
Does this mean that if I am matching on a single pattern I want to ALWAYS
Pretty much- if your pattern isn't a regular expression. BMH is simple
string matching; the power of regular expressions extends light years
beyond this (conditionals, lookarounds, character classes). If you have a
single, simple string, BMH is the preferred solution (coupled with some
transforms like t:lowercase and such to handle capitalization issues). If
you have any need for regular expression functionality- well, use @rx ;)
Beyond regex functionality itself, @rx allows for populating the TX
collection with the contents of capture groups, via the non-disruptive
'capture' (see
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#capture)
J Doe
2017-03-07 23:45:25 UTC
Permalink
Hi Robert,

Thanks for mentioning the debug log. I read that as a best practice for a production server, the maximum setting should be 3, so I set that and promptly forgot about all the data it emits regarding rules. On a low volume production server, I now have this cranked up to 9 and will correlate events in the debug.log with the transaction ID in audit event logs to get more info about what rules are firing and what they are actually seeing.

A bonus from this is that I have already found a rule that appears to fire with every other rule when it should only sometimes fire - so it's adding to the overhead.

Thanks also for mentioning "capture". I will go and read up on this some more.
Post by Robert Paprocki
Hi,
Post by J Doe
Hello,
# Detect suspicious client by looking art the user agent identification
curl -H "User-Agent: hi WebZIP world" localhost
[02/Mar/2017:16:18:06 --0800] [localhost/sid#7f653d12ab40][rid#7f653d0c60a0][/][4] Transformation completed in 0 usec.
[02/Mar/2017:16:18:06 --0800] [localhost/sid#7f653d12ab40][rid#7f653d0c60a0][/][4] Executing operator "strmatch" with param "WebZIP" against REQUEST_HEADERS:User-Agent.
[02/Mar/2017:16:18:06 --0800] [localhost/sid#7f653d12ab40][rid#7f653d0c60a0][/][9] Target value: "hi WebZIP world"
[02/Mar/2017:16:18:06 --0800] [localhost/sid#7f653d12ab40][rid#7f653d0c60a0][/][4] Operator completed in 0 usec.
[02/Mar/2017:16:18:06 --0800] [localhost/sid#7f653d12ab40][rid#7f653d0c60a0][/][2] Warning. Pattern match "WebZIP" at REQUEST_HEADERS:User-Agent. [file "/etc/modsecurity/modsecurity.conf"] [line "219"] [id "177"]
[02/Mar/2017:16:18:06 --0800] [localhost/sid#7f653d12ab40][rid#7f653d0c60a0][/][4] Rule returned 1.
[02/Mar/2017:16:18:06 --0800] [localhost/sid#7f653d12ab40][rid#7f653d0c60a0][/][9] Match -> mode NEXT_RULE.
The debug log is a pretty great thing :D
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
mod-security-users mailing list
https://lists.sourceforge.net/lists/listinfo/mod-security-users
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Christian Folini
2017-03-02 22:23:56 UTC
Permalink
Post by J Doe
pattern matching operator". I take that to mean that I can specify
# Detect suspicious client by looking art the user agent
"id:177"
Does this mean that it will attempt to match "WebZIP" to any portion
of the User-Agent string (so User-Agent strings of "WebZip" and
would look for "WebZIP" as the exact string (ie: User-Agent is only
"WebZIP") ?
Yes, that conclusion is correct.
Post by J Doe
Boyer-Moore-Horspool algorithm which is "...much better than a regular
expression."
I have looked into this for the 2nd edition of the ModSec book.
@strmatch is an alternative implementation of @contains and I could
not find a difference in the results.
Post by J Doe
Does this mean that if I am matching on a single pattern I want to
Yes. @rx has a bigger overhead than @strmatch. That's why.

Ahoj,

Christian
--
An error does not become truth by reason of multiplied propagation,
nor does truth become error because nobody sees it.
Truth stands, even if there be no public support. It is self sustained.
-- Mahatma Gandhi

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
mod-security-users mailing list
mod-security-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
Loading...