Thomas Behrend wrote:
> Terry Dooher wrote:
>> This rule will esssentially do nothing at all. pass allows you to log
>> matching entries with actions such as 'log,pass'. Using it on its own or
>> with nolog will do nothing.
>> To explicitly accept a request based on a match, you need to use the
>> allow action:
>> SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" allow,nolog
>> Of course, you'll have to be careful where exaclty this rule appears. If
>> you put it at the top, then anyone can subvert the reset of your rule
>> set by simply inserting a euro character in their request. It's good
>> practice to put your allow rules right at the bottom of the list. Of
>> course, if one of your other rules triggering a 'deny' on similar
>> content, then the request will never reach this rule and you'll have to
>> figure out some sort of chaining.
>> I can't comment on the regular expression itself, however. I run a
>> vBulletin 3.0 system myself and I curious as to what you're trying to
>> match with the \|+ and \| at either end of it.
> It was one of many trys to get it working, but none worked, not allow,
> not pass, no QUERY_STRING rule, realy noting. The only workaround for it
> was to deactivate the CheckURLEncoding option. For now its working
> without postscanning, but i will try it without ajax, maybe i have more
> luck without it.
It didn't work because:
1) URL-encoding is checked before any rules are run.
2) You used THE_REQUEST as the target:
SecFilterSelective THE_REQUEST "\|+.*[\%u20AC].*\|" pass,nolog
and the problem was in the request payload (POST_PAYLOAD).
BTW, please subscribe to the list to have your posts go directly
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net