If i'm not wrong i think the ARGS are separated by ","

ctl:'ruleUpdateTargetById=
950109;!ARGS:q,!ARGS:id,!ARGS:prefix,!ARGS:suffix'


On Fri, Jun 22, 2012 at 1:50 PM, Breno Silva <breno.silva@gmail.com> wrote:
Hello,

The ruleUpdateTargetById was refactored in 2.7.0. Any chance you try to reproduce it ?

Thanks

Breno


On Fri, Jun 22, 2012 at 12:17 PM, <rp-modsec-list@bev.net> wrote:
Hello,

There appears to be a significant memory leak when using modsecurity (v. 2.6.6
and earlier) with ruleUpdateTargetById directive *and* using alternation.

#####################
# Memory usage sample:
#####################
Memory usage(RSS) starts out at about 27m per apache child.
An apache child process grew to >300m RSS after handling only about 100
requests.

#####################
# Version info:
#####################
- modsecurity version info:
  ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/) configured.
  ModSecurity: APR compiled version="1.2.7"; loaded version="1.2.7"
  ModSecurity: PCRE compiled version="6.6"; loaded version="6.6 06-Feb-2006"
  ModSecurity: LIBXML compiled version="2.6.26"

#####################
# Steps to reproduce:
#####################
# Using a rule like this causes a memleak:
SecAction "phase:1,nolog,noauditlog,pass, \
ctl:'ruleUpdateTargetById=950109;!ARGS:q|!ARGS:id|!ARGS:prefix|!ARGS:suffix', \
ctl:'ruleUpdateTargetById=950901;!ARGS:q|!ARGS:id|!ARGS:prefix|!ARGS:suffix', \
ctl:'ruleUpdateTargetById=950006;!ARGS:q|!ARGS:id|!ARGS:prefix|!ARGS:suffix'"

# This rule does *not* cause a memleak (eg w/o alternation)
SecAction "phase:1,nolog,noauditlog,pass, \
ctl:'ruleUpdateTargetById=950109;!ARGS:q', \
ctl:'ruleUpdateTargetById=950901;!ARGS:q', \
ctl:'ruleUpdateTargetById=950006;!ARGS:q'"


-RP

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/