From ae8a6e4af95e204f9340d993618ddc486e0217c3 Mon Sep 17 00:00:00 2001 From: Jitendra Patro <86168235+Xhoenix@users.noreply.github.com> Date: Sun, 7 May 2023 01:34:17 +0530 Subject: [PATCH 1/4] added support for SecRuleUpdateTargetByTag --- src/secrules_parsing/model/secrules.tx | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/secrules_parsing/model/secrules.tx b/src/secrules_parsing/model/secrules.tx index 2c52a2f..073a531 100644 --- a/src/secrules_parsing/model/secrules.tx +++ b/src/secrules_parsing/model/secrules.tx @@ -12,7 +12,7 @@ SecRule */ Rule: SecAction | SecRuleScript | SecRule | SecMarker | SecComponentSignature | - SecRuleRemoveById | SecRuleRemoveByTag; + SecRuleRemoveById | SecRuleRemoveByTag | SecRuleUpdateTargetByTag; SecAction: 'SecAction' '"' actions+=Action[','] '"'; @@ -32,6 +32,9 @@ SecRuleRemoveById: SecRuleRemoveByTag: 'SecRuleRemoveBytag' tag=Tag; +SecRuleUpdateTargetByTag: + 'SecRuleUpdateTargetByTag' '"'? tag=Tag '"'? '"'? negated='!'? variables=Variable '"'?; + // ActionList can be empty if is the last rule in chain SecRule: 'SecRule' variables+=Variable['|'] '"' negated='!'? '@'?- operator=Operator '"' '"'? actions+=Action[',']? '"'?; @@ -40,7 +43,7 @@ IDRangeList: idlist+=ID | range=IDRange; /* -There is no chech against collections existance, or typying between variables and value (e.g: TIME_DAY and its referred value must be equal to some integer) +There is no check against collections existance, or typying between variables and value (e.g: TIME_DAY and its referred value must be equal to some integer) FILES is a collection, so it doesn't belong here */ Variable: From 350ff8cfd4791300d2ef17b80691f557bbf30a05 Mon Sep 17 00:00:00 2001 From: Jitendra Patro Date: Mon, 8 May 2023 14:41:53 +0530 Subject: [PATCH 2/4] defined "ID" for single rules and added SecRuleUpdateTargetById --- src/secrules_parsing/model/secrules.tx | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/secrules_parsing/model/secrules.tx b/src/secrules_parsing/model/secrules.tx index 073a531..112f208 100644 --- a/src/secrules_parsing/model/secrules.tx +++ b/src/secrules_parsing/model/secrules.tx @@ -12,7 +12,7 @@ SecRule */ Rule: SecAction | SecRuleScript | SecRule | SecMarker | SecComponentSignature | - SecRuleRemoveById | SecRuleRemoveByTag | SecRuleUpdateTargetByTag; + SecRuleRemoveById | SecRuleRemoveByTag | SecRuleUpdateTargetById | SecRuleUpdateTargetByTag; SecAction: 'SecAction' '"' actions+=Action[','] '"'; @@ -32,6 +32,9 @@ SecRuleRemoveById: SecRuleRemoveByTag: 'SecRuleRemoveBytag' tag=Tag; +SecRuleUpdateTargetById: + 'SecRuleUpdateTargetById' ids=ID '"'? negated='!'? variables=Variable '"'?; + SecRuleUpdateTargetByTag: 'SecRuleUpdateTargetByTag' '"'? tag=Tag '"'? '"'? negated='!'? variables=Variable '"'?; @@ -225,6 +228,10 @@ For operations, use RegExp as these have \" RegExp: /((\\")|[^"])*/; SlashedRegExp: /[^\/]+/; + +// A rule ID +ID: /\d{6}/; + /* A rules ID Range: 920000-920010 */ From c45d86fa6adeeb1be32b71ba272ae4bfb37710bc Mon Sep 17 00:00:00 2001 From: Jitendra Patro <86168235+Xhoenix@users.noreply.github.com> Date: Mon, 15 May 2023 19:10:00 +0530 Subject: [PATCH 3/4] Update secrules.tx --- src/secrules_parsing/model/secrules.tx | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/src/secrules_parsing/model/secrules.tx b/src/secrules_parsing/model/secrules.tx index 112f208..85afc6e 100644 --- a/src/secrules_parsing/model/secrules.tx +++ b/src/secrules_parsing/model/secrules.tx @@ -33,7 +33,7 @@ SecRuleRemoveByTag: 'SecRuleRemoveBytag' tag=Tag; SecRuleUpdateTargetById: - 'SecRuleUpdateTargetById' ids=ID '"'? negated='!'? variables=Variable '"'?; + 'SecRuleUpdateTargetById' id=INT '"'? negated='!'? variables=Variable '"'?; SecRuleUpdateTargetByTag: 'SecRuleUpdateTargetByTag' '"'? tag=Tag '"'? '"'? negated='!'? variables=Variable '"'?; @@ -43,7 +43,7 @@ SecRule: 'SecRule' variables+=Variable['|'] '"' negated='!'? '@'?- operator=Operator '"' '"'? actions+=Action[',']? '"'?; IDRangeList: - idlist+=ID | range=IDRange; + idlist+=INT | range=IDRange; /* There is no check against collections existance, or typying between variables and value (e.g: TIME_DAY and its referred value must be equal to some integer) @@ -229,9 +229,6 @@ RegExp: /((\\")|[^"])*/; SlashedRegExp: /[^\/]+/; -// A rule ID -ID: /\d{6}/; - /* A rules ID Range: 920000-920010 */ From 5fd79815d2f956636ec66df8d7c5ef0c88e7574d Mon Sep 17 00:00:00 2001 From: Jitendra Patro <86168235+Xhoenix@users.noreply.github.com> Date: Sun, 21 May 2023 12:14:17 +0530 Subject: [PATCH 4/4] Update secrules.tx added a new TARGET variable and updated rules accordingly --- src/secrules_parsing/model/secrules.tx | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/secrules_parsing/model/secrules.tx b/src/secrules_parsing/model/secrules.tx index 85afc6e..2715932 100644 --- a/src/secrules_parsing/model/secrules.tx +++ b/src/secrules_parsing/model/secrules.tx @@ -33,10 +33,10 @@ SecRuleRemoveByTag: 'SecRuleRemoveBytag' tag=Tag; SecRuleUpdateTargetById: - 'SecRuleUpdateTargetById' id=INT '"'? negated='!'? variables=Variable '"'?; + 'SecRuleUpdateTargetById' id=INT targets+=TARGET[',']?; SecRuleUpdateTargetByTag: - 'SecRuleUpdateTargetByTag' '"'? tag=Tag '"'? '"'? negated='!'? variables=Variable '"'?; + 'SecRuleUpdateTargetByTag' '"'? tag=Tag '"'? targets+=TARGET[',']?; // ActionList can be empty if is the last rule in chain SecRule: @@ -237,6 +237,8 @@ IDRange: /"[0-9]+-[0-9]+"/; // URI path, tipically used in beginsWith, contains, etc. URI: /\/[a-zA-Z0-9-_\.\/]+/; +TARGET: '"'? negated='!'? variables=Variable '"'?; + Hostname: /[a-z][a-zA-Z0-9-_\.\/]+/; ParameterName: /[a-zA-Z0-9\-\-]+/;