Robert p0pr0ck5

## gist:02687caa5ac0af80d6d4
{
   "transaction" : {
      "transaction_id" : "VbJ9aH8AAQEAAHN3OTcAAABA",
      "time" : "24/Jul/2015:11:01:12 --0700",
      "remote_port" : 34094,
      "local_address" : "127.0.0.1",
      "local_port" : 80,
      "remote_address" : "127.0.0.1"
   },
   "request" : {

## gist:3864f5f18ae5ba5cb7aa
modsecurity on;
modsecurity_rules '
    SecDefaultAction "phase:2,deny,auditlog,status:403"
    SecRuleEngine On
    SecDebugLog /tmp/modsec_debug.log
    SecDebugLogLevel 9
    SecAuditLog /tmp/modsec_audit.log
    SecAuditLogRelevantStatus "403"
    SecAuditLogParts ABCFHKZ
    SecAuditEngine RelevantOnly

## gist:939794ba35f7c980e6ef
[4] Initialising transaction
[4] Transaction context created.
[4] Starting phase CONNECTION. (SecRules 0)
[9] This phase consists of 0 rule(s).
[4] Starting phase URI. (SecRules 0 + 1/2)
[4] Adding request argument (QUERY_STRING): name "a", value "test"
[4] Starting phase REQUEST_HEADERS.  (SecRules 1)
[9] This phase consists of 0 rule(s).
[4] Starting phase REQUEST_BODY. (SecRules 2)
[9] This phase consists of 0 rule(s).

## gist:a24b2f8f8cd00997df41
diff --git a/src/ngx_http_modsecurity_body_filter.c b/src/ngx_http_modsecurity_body_filter.c
index 1e81d96..7e48087 100644
--- a/src/ngx_http_modsecurity_body_filter.c
+++ b/src/ngx_http_modsecurity_body_filter.c
@@ -56,6 +56,8 @@ ngx_int_t ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *i

     for (; chain != NULL; chain = chain->next)
     {
+               dd("checking chain %p", chain);
+

## gist:d7513398d7912e678c50
$VAR52 = {
           'opts' => [
                       {
                         'value' => "regexp\\s*?\\(|sounds\\s+like\\s*?[\\\"'`\x{b4}\x{2019}\x{2018}]|[=\\d]+x))|([\\\"'`\x{b4}\x{2019}\x{2018}]\\s*?\\d\\s*?(?:--|#))|(?:[\\\"'`\x{b4}\x{2019}\x{2018}][\\%&<>^=]+\\d\\s*?(=|x?or|div|like|between|and))|(?:[\\\"'`\x{b4}\x{2019}\x{2018}]\\W+[\\w+-]+\\s*?=\\s*?\\d\\W+[\\\"'`\x{b4}\x{2019}\x{2018}])|(?:[\\\"'`\x{b4}\x{2019}\x{2018}]\\s*?is\\s*?\\d.+[\\\"'`\x{b4}\x{2019}\x{2018}]?\\w)|(?:[\\\"'`\x{b4}\x{2019}\x{2018}]\\|?[\\w-]{3",
                         'opt' => '|\\|\\||\\&\\&)\\s+[\\s\\w+]+(?'
                       },
                       {
                         'opt' => '}[^\\w\\s.'
                       },
                       {

## gist:d0629600a947448a3a89
#!/usr/bin/perl

use strict;
use warnings;

use Text::CSV;
use Data::Dumper;

my $CSV = Text::CSV->new({ sep_char => ' ', escape_char => undef, binary => 1, allow_loose_quotes => 1 });

## parse_modsec.pl
#!/usr/bin/perl

use strict;
use warnings;

use JSON;

my @valid_directives = qw(SecRule SecAction SecDefaultAction);

sub valid_line {

## gist:71ca4307443dbb2394486be9a159101b
poprocks@soter:~/code/Lua/lua-resty-waf$ cat ~/code/SpiderLabs-owasp-modsecurity-crs-ebe8790/base_rules/modsecurity_crs_* | ./tools/modsec2lua-resty-waf.pl -p ~/code/SpiderLabs-owasp-modsecurity-crs-ebe8790/base_rules/ -f > /dev/null
Cannot translate operator validateUrlEncoding at ./tools/modsec2lua-resty-waf.pl line 560.
SecRule REQUEST_URI \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4}) chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'6',accuracy:'8',t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4'
SecRule REQUEST_URI @validateUrlEncoding setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}

Cannot translate operator validateUrlEncoding at ./tools/modsec2lua-resty-waf.pl line 560.
SecRule REQUEST_HEADERS:Content-Type ^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$ chain,ph

## modsecurity_crs_11_dos_protection.json
{
   "access" : [
      {
         "actions" : {
            "disrupt" : "IGNORE",
            "nondisrupt" : [
               {
                  "action" : "initcol",
                  "data" : {
                     "col" : "IP",

## gist:de611374ae1dc49bf36b1bbd105e0667
{
   "filename":"dos_rules",
   "version":"1",
   "access" : [
      {
         "actions" : {
            "disrupt" : "IGNORE",
            "nondisrupt" : [
               {
                  "action" : "initcol",
	{
	"transaction" : {
	"transaction_id" : "VbJ9aH8AAQEAAHN3OTcAAABA",
	"time" : "24/Jul/2015:11:01:12 --0700",
	"remote_port" : 34094,
	"local_address" : "127.0.0.1",
	"local_port" : 80,
	"remote_address" : "127.0.0.1"
	},
	"request" : {
	modsecurity on;
	modsecurity_rules '
	SecDefaultAction "phase:2,deny,auditlog,status:403"
	SecRuleEngine On
	SecDebugLog /tmp/modsec_debug.log
	SecDebugLogLevel 9
	SecAuditLog /tmp/modsec_audit.log
	SecAuditLogRelevantStatus "403"
	SecAuditLogParts ABCFHKZ
	SecAuditEngine RelevantOnly
	[4] Initialising transaction
	[4] Transaction context created.
	[4] Starting phase CONNECTION. (SecRules 0)
	[9] This phase consists of 0 rule(s).
	[4] Starting phase URI. (SecRules 0 + 1/2)
	[4] Adding request argument (QUERY_STRING): name "a", value "test"
	[4] Starting phase REQUEST_HEADERS. (SecRules 1)
	[9] This phase consists of 0 rule(s).
	[4] Starting phase REQUEST_BODY. (SecRules 2)
	[9] This phase consists of 0 rule(s).
	diff --git a/src/ngx_http_modsecurity_body_filter.c b/src/ngx_http_modsecurity_body_filter.c
	index 1e81d96..7e48087 100644
	--- a/src/ngx_http_modsecurity_body_filter.c
	+++ b/src/ngx_http_modsecurity_body_filter.c
	@@ -56,6 +56,8 @@ ngx_int_t ngx_http_modsecurity_body_filter(ngx_http_request_t r, ngx_chain_t i

	for (; chain != NULL; chain = chain->next)
	{
	+ dd("checking chain %p", chain);
	+
	$VAR52 = {
	'opts' => [
	{
	'value' => "regexp\\s?\\(\|sounds\\s+like\\s?[\\\"'`\x{b4}\x{2019}\x{2018}]\|[=\\d]+x))\|([\\\"'`\x{b4}\x{2019}\x{2018}]\\s?\\d\\s?(?:--\|#))\|(?:[\\\"'`\x{b4}\x{2019}\x{2018}][\\%&<>^=]+\\d\\s?(=\|x?or\|div\|like\|between\|and))\|(?:[\\\"'`\x{b4}\x{2019}\x{2018}]\\W+[\\w+-]+\\s?=\\s?\\d\\W+[\\\"'`\x{b4}\x{2019}\x{2018}])\|(?:[\\\"'`\x{b4}\x{2019}\x{2018}]\\s?is\\s*?\\d.+[\\\"'`\x{b4}\x{2019}\x{2018}]?\\w)\|(?:[\\\"'`\x{b4}\x{2019}\x{2018}]\\\|?[\\w-]{3",
	'opt' => '\|\\\|\\\|\|\\&\\&)\\s+[\\s\\w+]+(?'
	},
	{
	'opt' => '}[^\\w\\s.'
	},
	{
	#!/usr/bin/perl

	use strict;
	use warnings;

	use Text::CSV;
	use Data::Dumper;

	my $CSV = Text::CSV->new({ sep_char => ' ', escape_char => undef, binary => 1, allow_loose_quotes => 1 });
	poprocks@soter:~/code/Lua/lua-resty-waf$ cat ~/code/SpiderLabs-owasp-modsecurity-crs-ebe8790/base_rules/modsecurity_crs_* \| ./tools/modsec2lua-resty-waf.pl -p ~/code/SpiderLabs-owasp-modsecurity-crs-ebe8790/base_rules/ -f > /dev/null
	Cannot translate operator validateUrlEncoding at ./tools/modsec2lua-resty-waf.pl line 560.
	SecRule REQUEST_URI \%((?!$\|\W)\|[0-9a-fA-F]{2}\|u[0-9a-fA-F]{4}) chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'6',accuracy:'8',t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4'
	SecRule REQUEST_URI @validateUrlEncoding setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}

	Cannot translate operator validateUrlEncoding at ./tools/modsec2lua-resty-waf.pl line 560.
	SecRule REQUEST_HEADERS:Content-Type ^(application\/x-www-form-urlencoded\|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$ chain,ph
	{
	"access" : [
	{
	"actions" : {
	"disrupt" : "IGNORE",
	"nondisrupt" : [
	{
	"action" : "initcol",
	"data" : {
	"col" : "IP",
	{
	"filename":"dos_rules",
	"version":"1",
	"access" : [
	{
	"actions" : {
	"disrupt" : "IGNORE",
	"nondisrupt" : [
	{
	"action" : "initcol",