SimpleFC::AdvAddRule from NSIS Simple Firewall Plugin will add a duplicate rule if the exact rule already exists.
SimpleFC::AdvRemoveRule [name] will remove one entry, but not all of them.
What is a good way to remove duplicated firewall rules?
You could probably use a loop and remove one by one until SimpleFC::AdvExistsRule is false if they all have the same name.
Related
I want to add a custom ModSecurity (V3) rule that can block all user agents, and allow me to whitelist certain User Agents from a file.
If this is possible, if someone could share the rule with me, that would be great. I cannot seem to figure out the rule to do this.
Thanks!
This is a bit dangerous what you want to do, but I try to give you some help.
I think CRS rule 913100 would be a good point to start for you.
It's a bit complex if you new in ModSecurity any SecLang, so in short, this would be a possible solution. Create a rule for your WAF, like this:
SecRule REQUEST_HEADERS:User-Agent "!#pmFromFile allowed-user-agents.data" \
"id:9013100,\
phase:1,\
deny,\
t:none,\
msg:'Found User-Agent associated with security scanner',\
logdata:'Matched Data: illegal UA found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'"
Please note, that you can choose any id for your rule what you want, but there is a reservation list for id's:
https://coreruleset.org/docs/rules/ruleid/#id-reservations
It's highly recommended you choose a right one to avoid the collision with other rules. 9013100 would be a good choice, and it represents where this rule is derived from.
Then you have to make a file with a list of your allowed user agents. Note, that you have to place that list in same directory as the rule conf file exists. The name of file must be (as you can see above) allowed-user-agents.data. You can put an agent per line. Also you can use comments with # at the beginning of the rule - just see the CRS's data file.
How this rule works?
SecRule is a token which tells the engine that this is a rule. REQUEST_HEADERS is a collection (a special variable), what the engine expands from the HTTP request. The : after the name indicates that you want to investigate only the mentioned header, namely User-Agent.
The next block is the operator. As documentation says #pmFromFile "Performs a case-insensitive match of the provided phrases against the desired input value.". This is what you need exactly. There is a ! sign before the operator. This inverts the operator's behavior, so it will be TRUE if the User-Agent isn't there in the file.
The next section is the action's list. id is mandatory, this identifies the rule. phase:1 is optional but very recommended to place one. For more information, see the reference. deny is a disruptive action, it terminates the request immediately. msg will append a message to the log in every cases. logdata will show a detailed info about the rule result.
Why is this a little dangerous
As you can see in the documentation of #pmFromFile operator, it uses patterns. This means you do not have to place the exact User-Agent names, it's enough to put a pattern, like "curl", or "mozilla" - but be careful, a wrong pattern can lead to false positive results, which means - in this case - an attacker can bypass your rule: it's enough to place the pattern to trick it.
Consider you put the pattern my-user-agent into the data file. Now if someone just uses this pattern as User-Agent, the rule won't match.
It is generally true that handling whitelists in this way (in some special contexts, like this) is dangerous, because it's easy to bypass them.
I am having problem to rewrite a url that may or may not include a secondary pattern.
This is a rewrite mod for a login system.
I want to rewrite
"contoso.com/register/1/"
and
"contoso.com/register/2/{key}"
However, I found that if I have
^register/([1-2]+).*
I am not going to get the key for step 2 of the registration.
And if I use
^register/([1-2]+)/([_0-9a-zA-Z-]+).*
for my mask. It is not going to rewrite "contoso.com/register/1/" .
Will it be possible to rewrite in just one rule? Or I must have two separate rules for this scenario?
It will be good to help with the IIS presentation. But if you know the method on .htaccess. I am also able to convert myself. Many thanks!
I have done some research on Regex and found that a /* mask will make the rule work while it excludes "/" being detected.
The mask I am having now is
^register/([1-2]+)/*([_0-9a-zA-Z-]+)
Which will take step 1 as {R:1} and key after slash as {R:2}
For upcomming larger Xpages project we need to use substitution rules to provide SEO friendly URLs. We need to define rules similar to this one:
Incoming URL pattern: /*/products?*
Replacement pattern: /web.nsf/view.xsp?lang=*&*
This substitution should work with URL e.g.:
/cz/products?start=1&count=20
and substitute to
/web.nsf/view.xsp?lang=cz&start=1&count=20
But we just found out that when incoming rule contains '?' it simply returns Error 404 . We found this reported here http://www-10.lotus.com/ldd/nd8forum.nsf/DateAllFlatWeb/a8162420467d5b45852576c7007fc045?OpenDocument.
Is there any workaround or fix for this situation ? Documentation doesnt mention such limitation ... which is, in fact, very significant because we are not able to redefine the rule to fit our (very common) situation.
Any idea how to fix this?
I do not think you can solve that issue easily.
If you can't find an easy solution I would suggest you to look on these 2 approaches:
You build DSAPI filter and define your custom substitutions there (that way speed won't be affected).
You point requests to single xsp and that xsp will check incoming requests and redirect them to appropriate place (based on your custom substitutions).
I have a requirement to make the following paths work.
Depending on what the url consists of, they are mapped to go to different java classes.
/books/
/books/science/
/books/science/fiction/
/books/science/fiction/kids/
So, I have given the rewrite rules in my configuration file as:
^/books$
^/books/(.*)$
^/books/(.*)/(.*)$
^/books/(.*)/(.*)/(.*)$
but the moment I give a url something like this
http://localhost/books/science/fiction/kids/12345
instead of getting captured by the fourth rewrite rule, it is captured by the second one which is not what I want.
Can someone please tell me how to achieve this? Thanks in advance
^/books$ /webapp/wcs/stores/servlet/ABCController?resultsFor=allCategories [PT,QSA]
^/books/(.*)$ /webapp/wcs/stores/servlet/XYZController?make=$1&resultsFor=category [PT,QSA]
^/books/(.*)/(.*)$ /webapp/wcs/stores/servlet/ABCDController?format=$1-$2&resultsFor=subCategory [PT,QSA]
^/books/(.*)/(.*)/(.*)$ /webapp/wcs/stores/servlet/ASDFController?resultsFor=product [PT,QSA]
instead of getting captured by the fourth rewrite rule, it is captured by the second one
That’s because the dot matches any character, so slashes as well.
Replacing it by a character class allowing anything but a slash (and demanding at least one character out of that class, so + instead of *) should fix that: ([^/]+)
Another way would be to reverse the order of your rules … You should always try and write them in order from most to least specific anyway.
I'm using a second domain for my second storeview in Magento.
I want to block this second domain for some countries, and I have already find an solution:
http://www.ip2location.com/blockvisitorsbycountry.aspx
The solution is working great but in my case I have an problem, because I need this solution only for one storeview, not for both.
How can I control that and what do I need to add in the .htaccess file
to block some countries only for the second storeview?
Thank You