Re: [mod-security-users] Bypassing SecGuardianLog
Brought to you by:
victorhora,
zimmerletw
From: Nicholas S. <mod...@th...> - 2008-10-24 16:24:37
|
Thanks Ivan, Can you give me a working example of how I would whitelist a range of IP's using this hidden feature? And requests based on their HTTP Header or Header Name? Also, is it possible to setup more than one flag/env var? My requirement is that I do not process anything coming from: REQUEST_ADDR 192.168.1.XXX and REQUEST_HEADER_NAMES X-MyHeader-Name Would I even need more than one flag to do this? If you could please give me a working example of how to configure this that would be stupendous. By the way I am using: Apache 2.0.61 w/ ModSecurity 2.1.3. Gratefully, Nick On Fri, Oct 24, 2008 at 3:09 AM, Ivan Ristic <iva...@gm...> wrote: > It's been a while since I used the guardian log, so I had to look into > the source code for clues. While this facility is separate from > everything else ModSecurity does (and that's why whitelisting as per > FAQ does not work), there appears to be one undocumented parameter to > the SecGuardianLog directive. Here's an (untested) example of its > usage: > > SecGuardianLog "|/path/to/your/script" env=!flag > > The optional parameter is about an environment flag you can set to > prevent a transaction from going to the guardian log. The exclamation > mark is optional. This feature was designed to allow for integration > with other modules, but it can be used to integrate with ModSecurity > itself. > > To answer your question, if there's a transaction you don't want to > log simply create a flag ("flag" in the above example) using the > setenv action in ModSecurity. > > > On Thu, Oct 23, 2008 at 4:38 PM, Nicholas Schuetz > <mod...@th...> wrote: >> Can anyone help me with bypassing SecGuardianLog? I want to whitelist >> certain REMOTE_ADDR's and REQUEST_HEADERS_NAMES. I do not want them >> to be processed by httpd-guardian at all. I've tried using this >> example >> >> http://www.modsecurity.org/documentation/faq.html#d0e400 >> >> but I still see the ip going into the /tmp/httpd-guardian.state. On >> the Freenode IRC channel #modsecurity It's been suggested that I could >> use skip to do this but I don't quite know how to implement that. If >> someone could give me an example and or add this to the FAQ's that >> would be wonderful. Any help at all would be appreciated. >> >> >> Regards, >> >> Nick >> >> ------------------------------------------------------------------------- >> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge >> Build the coolest Linux based applications with Moblin SDK & win great prizes >> Grand prize is a trip for two to an Open Source event anywhere in the world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > -- > Ivan Ristic > |