Basic streaming detection on raw request/response #304
Assignees
Labels
2.x
Related to ModSecurity version 2.x
3.x
Related to ModSecurity version 3.x
bug
It is a confirmed bug
enhancement
Comments
|
Original reporter: brectanus |
|
rbarnett: I am assuming that by stream inspection, we mean that modsecurity will be able to act as a "filter". I like the following syntax - SecRule STREAM_REQUEST "@pmf huge-prequal-list.dat" "phase:rawrequest,nolog,pass,setvar:TX.prequal=1" |
ghost
assigned
|
bpinto: We start doing it with STREAM_INPUT_BODY / STREAM_OUTPUT_BODY. A real full stream inspection need to wait more |
|
bpinto: We are still buffering this variables. I really don't know if make sense has it for modsecurity. I'm moving it for future versions |
Closed
victorhora
added
enhancement
2.x
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
MODSEC-147: I'd like to begin the process of streaming inspection. Initially only on the raw request and response (i.e. connection level filter data).
See MODSEC-17 and MODSEC-18 for the basic ideas.
Here, I only want these to work:
SecStreamInspect REQUEST "@pmf huge-prequal-list.dat" "nolog,pass,setvar:TX.prequal=1"
SecStreamInspect RESPONSE "@verifyCC \b(\d{13,16})\b" "log,drop,msg='CC# detected in response',sanitizeMatchedBytes"
Or maybe these are better:
SecRule STREAM_REQUEST "@pmf huge-prequal-list.dat" "phase:rawrequest,nolog,pass,setvar:TX.prequal=1"
SecRule STREAM_RESPONSE "@verifyCC \b(\d{13,16})\b" "phase:rawresponse,log,drop,msg='CC# detected in response',sanitizeMatchedBytes"
sanitizeMatchedBytes (MODSEC-146) MUST sanitize (x out) all of the bytes that matched.
The text was updated successfully, but these errors were encountered: