Basic streaming detection on raw request/response

[rcbarnett-zz]

MODSEC-147: I'd like to begin the process of streaming inspection. Initially only on the raw request and response (i.e. connection level filter data).

See MODSEC-17 and MODSEC-18 for the basic ideas.

Here, I only want these to work:

SecStreamInspect REQUEST "@pmf huge-prequal-list.dat" "nolog,pass,setvar:TX.prequal=1"
SecStreamInspect RESPONSE "@verifyCC \b(\d{13,16})\b" "log,drop,msg='CC# detected in response',sanitizeMatchedBytes"

Or maybe these are better:

SecRule STREAM_REQUEST "@pmf huge-prequal-list.dat" "phase:rawrequest,nolog,pass,setvar:TX.prequal=1"
SecRule STREAM_RESPONSE "@verifyCC \b(\d{13,16})\b" "phase:rawresponse,log,drop,msg='CC# detected in response',sanitizeMatchedBytes"

sanitizeMatchedBytes (MODSEC-146) MUST sanitize (x out) all of the bytes that matched.

[rcbarnett-zz]

Original reporter: brectanus

[rcbarnett-zz]

rbarnett: I am assuming that by stream inspection, we mean that modsecurity will be able to act as a "filter". I like the following syntax -

SecRule STREAM_REQUEST "@pmf huge-prequal-list.dat" "phase:rawrequest,nolog,pass,setvar:TX.prequal=1"
SecRule STREAM_RESPONSE "@verifyCC \b(\d{13,16})\b" "phase:rawresponse,log,drop,msg='CC# detected in response',sanitizeMatchedBytes"

[rcbarnett-zz]

bpinto: We start doing it with STREAM_INPUT_BODY / STREAM_OUTPUT_BODY. A real full stream inspection need to wait more

[rcbarnett-zz]

bpinto: We are still buffering this variables. I really don't know if make sense has it for modsecurity. I'm moving it for future versions