On Wed, Oct 30, 2013 at 11:08 AM, Jan Phillip Greimann <jg@softjury.de> wrote:

Hi Josh,

that's not quite the answer to my question. My question is about the
ARGS which are used within the Action

     ctl:ruleRemoveTargetByTag=OWASP_CRS/WEB_ATTACK/XSS;ARGS:login

Not for the rule-filter itself.

Hi Jan,

Sorry for the confusion. To exclude multiple variables, try using multiple ctl directives within the action. For example the following rules return a 403 if the string 'jojo' is in a parameter value unless the parameter name is 't' or 'y'.

SecRule REQUEST_FILENAME "^/$" "phase:2,id:2,t:none,pass,ctl:ruleRemoveTargetByTag=test;ARGS:t,ctl:ruleRemoveTargetByTag=test;ARGS:y"

SecRule ARGS jojo "phase:2,t:none,deny,id:1,tag:'test'"
 
--
 - Josh

- Jan


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/