That was it!  I thought all modified rules needed to go AFTER the original ones.  

Thanks!
A
On Oct 30, 2013, at 3:22 PM, Josh Amishav-Zlatin <jamuse@owasp.org>
 wrote:

On Tue, Oct 29, 2013 at 11:23 PM, Macks, Aaron <amacks@harvardbusiness.org> wrote:
I'm trying to skip a rule based on a filename, and thought this config should achieve that:

SecRule REQUEST_FILENAME "^/products/.*thumbnail.gif$" "nolog,pass,ctl:RuleRemoveById=990012"

The thing is, I'm still seeing hits for that rule in the log with filenames that match


Hi Aaron,

I just tested your exception locally and it worked as expected. Its important to note that ruleRemoveById is triggered at run time, thus it needs to be specified **before** the rule in which it is disabling. Another good habit is to specify the phase in which the rule should run.

--
 - Josh
 
HEAD /products/6789H-HTM-ENG/thumbnail/thumbnail.gif HTTP/1.1
User-Agent: Jakarta Commons-HttpClient/3.1
.
Message: Warning. Pattern match "(?i:(?:c(?:o(?:n(?:t(?:entsmartz|actbot/)|cealed defense|veracrawler)|mpatible(?: ;(?: msie|\\.)|-)|py(?:rightcheck|guard)|re-project/1.0)|h(?:ina(?: local browse 2\\.|claw)|e(?:rrypicker|esebot))|rescent internet toolpak)|w(?:e(?:b(?: (?:downloader|by ..." at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_35_bad_robots.conf"] [line "27"] [id "990012"] [rev "2.2.5"] [msg "Rogue web site crawler"] [data "Jakarta"] [severity "WARNING"] [tag "AUTOMATION/MALICIOUS"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]

Is it because the request is HEAD and not GET?

A
--
Aaron Macks


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

--
Aaron Macks
Systems Architect

Harvard Business Publishing
300 North Beacon St.    |   Watertown, MA 02472
(617) 783-7461                |   Fax: (617) 783-7467
www.harvardbusiness.org |   Cell:(978) 317-3614