Hi again.

In this link (http://sourceforge.net/mailarchive/message.php?msg_id=31395454) that directive is used as follows:

SecRule REQUEST_URI "/login.pl" "phase:1,t:none,pass, \

id:613,nolog,ctl:ruleRemoveTargetByTag=WEB_ATTACK/SQL_INJECTION;ARGS:password

As a normal firewall, it seems mod_security needs rule enabling before the general rule disabling (In a normal firewall, top firewall rules enables services while bottom rules denied all access).

IŽll hope this can help you.

Kind regards,


2013/10/30 Josh Amishav-Zlatin <jamuse@owasp.org>
On Wed, Oct 30, 2013 at 3:57 PM, Jan Phillip Greimann <jg@softjury.de> wrote:
Hi Josh,

I've got a second problem:

SecRule REQUEST_FILENAME "^/../login$"
"phase:1,id:1005,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION|XSS|LDAP_INJECTION)|PROTOCOL_VIOLATION/EVASION);ARGS:login[password]"


Hi Jan,

As a workaround perhaps tweak the regex to bypass the problematic characters, e.g.:

SecRule REQUEST_FILENAME "^/../login$" "phase:1,id:1005,t:none,nolog,pass,ctl:ruleRemoveTargetByTag=OWASP_CRS.*WEB_ATTACK.*SQL_INJECTION.XSS.LDAP_INJECTION.*PROTOCOL_VIOLATION.*EVASION.*;ARGS:login[password]"
 
--
 - Josh

is one of my rules. In my logic it should work, but I get the following
error:

Syntax error on line 23 of
/etc/modsecurity/modsecurity_crs_15_pre_custom.conf:
Error parsing actions: ModSecurity: Invalid regular expression
"OWASP_CRS/(WEB_ATTACK/(SQL_INJECTION"
Action 'configtest' failed.
The Apache error log may have more information.
  failed!

Where is the problem, in my opinion it's right. :-/


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/