$ARGS_VAR_X doesn't match in MainRule

[markussackmann]

Regular Expression doesn't work in $ARGS_VAR_X in MainRule: "mz:$ARGS_VAR_X:^foo.*" matches only http://localhost/?^foo.*=bar but not http://localhost/?foo=bar

Version: 0.55rc1 MainRule "rx:bar" "msg:foo" "mz:$ARGS_VAR_X:^foo.*" "s:$OH:8" id:3201;

What am i doing wrong?

[markussackmann]

And why is the rule counted twice if it has a match?

2016/05/11 13:07:51 [debug] 21109#0: *402376 is rule [3201] whitelisted in zone ARGS for item ^foo.*
2016/05/11 13:07:51 [debug] 21109#0: *402376 hashing varname [^foo.*]
2016/05/11 13:07:51 [debug] 21109#0: *402376 hashing varname [^foo.*] (rule:3201) - 'wl:X_VAR:^foo.*'
2016/05/11 13:07:51 [debug] 21109#0: *402376 hashing varname [^foo.*] (rule:3201) - 'wl:X_VAR:^foo.*|NAME'
2016/05/11 13:07:51 [debug] 21109#0: *402376 hashing uri#1 [/] (rule:3201) ($URL:X|URI)
2016/05/11 13:07:51 [debug] 21109#0: *402376 hashing uri#3 [#/] (rule:3201) ($URL:X|ZONE|NAME)
2016/05/11 13:07:51 [debug] 21109#0: *402376 hashing MIX [/#^foo.*] ($URL:x|$X_VAR:y) or ($URL:x|$X_VAR:y|NAME)
2016/05/11 13:07:51 [error] 21109#0: *402376 NAXSI_EXLOG: ip=212.51.138.250&server=localhost&uri=/&id=3201&zone=ARGS&var_name=^foo.*&content=bar, client: 212.51.138.250, server: localhost, request: "GET /?^foo.*=bar HTTP/1.1", host: "localhost"
2016/05/11 13:07:51 [debug] 21109#0: *402376 is rule [3201] whitelisted in zone ARGS for item ^foo.*
2016/05/11 13:07:51 [debug] 21109#0: *402376 hashing varname [^foo.*]
2016/05/11 13:07:51 [debug] 21109#0: *402376 hashing varname [^foo.*] (rule:3201) - 'wl:X_VAR:^foo.*'
2016/05/11 13:07:51 [debug] 21109#0: *402376 hashing varname [^foo.*] (rule:3201) - 'wl:X_VAR:^foo.*|NAME'
2016/05/11 13:07:51 [debug] 21109#0: *402376 hashing uri#1 [/] (rule:3201) ($URL:X|URI)
2016/05/11 13:07:51 [debug] 21109#0: *402376 hashing uri#3 [#/] (rule:3201) ($URL:X|ZONE|NAME)
2016/05/11 13:07:51 [debug] 21109#0: *402376 hashing MIX [/#^foo.*] ($URL:x|$X_VAR:y) or ($URL:x|$X_VAR:y|NAME)
2016/05/11 13:07:51 [error] 21109#0: *402376 NAXSI_EXLOG: ip=212.51.138.250&server=localhost&uri=/&id=3201&zone=ARGS&var_name=^foo.*&content=bar, client: 212.51.138.250, server: localhost, request: "GET /?^foo.*=bar HTTP/1.1", host: "localhost"
2016/05/11 13:07:51 [error] 21109#0: *402376 NAXSI_FMT: ip=212.51.138.250&server=localhost&uri=/&learning=1&vers=0.55rc1&total_processed=4&total_blocked=1&block=1&cscore0=$OH&score0=16&zone0=ARGS&id0=3201&var_name0=^foo.*&zone1=ARGS&id1=3201&var_name1=^foo.*, client: 212.51.138.250, server: localhost, request: "GET /?^foo.*=bar HTTP/1.1", host: "localhost"

[buixor]

Hello,

I'm investigating a similar issue, I'll keep you posted as soon as I have something :)

[buixor]

Hi,

There is actually a WIP in order to allow mainrule(s) to be more precise, ie. do things as you want to do. So far, the _X system was mostly designed for whitelists.

[buixor]

Hey,

Can you confirm https://github.com/nbs-system/naxsi/tree/improved-blacklist-matchzones works for you ?

cheers,

[markussackmann]

Hi,

I can confirm that it works. Thank you very much!

The rule however is still counted twice. As soon as the matchzone is defined with $ARGS_VAR or $ARGS_VAR_X the output of NAXSI_EXLOG appears two times.

But if you think this finding is cosmetic you might close the ticket :-)

[buixor]

I'm going to try to fix that !

stay tuned, keep the issue warm :D

[buixor]

and by the way, you can now even write blacklists like :

MainRule id:X str:foobar "mz:$URL_X:^/foo[0-9]+$|$ARGS_VAR_X:^rtututu$";

(check only if url matches ^/foo[0-9]+$ AND the args name matches ^rtututu$)

[buixor]

Should be fixed now, can you tell me if it's good for you ? Actually, it might even (very very slightly) improve things, as this bug allowed to point out that sometimes rules were pushed twice (and thus checked twice at runtime).

[markussackmann]

That's great! Just had to test my rules with the additional $URL_X :-) Perfectly works and counts.

[buixor]

Ok, I'm thus closing this issue :) I guess the other issue you opened (about the rule 1015) is a side-effect of this patch :)