Adopt the undocumented unconditionalMatch operator
See original GitHub issue_Issue originally created by user dune73 on date 2016-08-26 16:53:39. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/554._
The undocumented operator @unconditionalMatch
does exactly what you expect it to do.
Example Use:
SecRule REMOTE_ADDR "@unconditionalMatch" "id:1000,phase:1,pass,nolog,t:hexEncode,setvar:TX.ip_hash=%{MATCHED_VAR}"
We do empty regex matches quite a lot in situations similar to the example above. This means we match @rx .
or something of the sort in order to fill %{MATCHED_VAR}
. And this brings a substantial overhead, which can be avoided by the use of @unconditionalMatch
.
Furthermore, I have a feeling it will - when combined with chain - allow for new rule constructs of the following form:
SecRule ARGS "@rx test" "id:1000,phase:1,pass,log,chain"
SecRule MATCHED_VARS_NAME "@unconditionalMatch" "setvar:..."
I need to think about this some more, but this could potentially bring solutions to the problem, that the rule chains first loop over all ARGS of the first rule and then loop over the 2nd rule with all matched vars (instead of the 2nd rule immediately after the first match). This “first rule loop first” results in the 2nd rule not knowing which ARGS it is working on. unconditionalMatch might help. Or maybe not.
Issue Analytics
- State:
- Created 3 years ago
- Comments:9
Top GitHub Comments
User lifeforms commented on date 2016-08-27 09:25:44:
A small, localized party is in order.
User dune73 commented on date 2016-08-27 03:18:24:
It is funny, I wanted to have this operator for several weeks now and was thinking about doing a feature request.
Then yesterday as I was reading the debug_log I saw it displayed during the execution of SecAction. It seems this is used to implement SecAction via SecRule.
Then I googled it and found it is used by Ivan in the performance chapter in a recipe on page 192. (Actually next to
@noMatch
but I did not notice this yesterday. Thanks for pointing this out).Somehow it felt like a x-mas gift or an archaeological discovery. 😉