Re: [mod-security-users] Bypassing SecGuardianLog
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Bypassing SecGuardianLog
|
From: Nicholas S. <mod...@th...> - 2008-10-24 16:24:37
|
Thanks Ivan,
Can you give me a working example of how I would whitelist a range of
IP's using this hidden feature? And requests based on their HTTP
Header or Header Name? Also, is it possible to setup more than one
flag/env var? My requirement is that I do not process anything coming
from:
REQUEST_ADDR 192.168.1.XXX
and
REQUEST_HEADER_NAMES X-MyHeader-Name
Would I even need more than one flag to do this?
If you could please give me a working example of how to configure this
that would be stupendous. By the way I am using:
Apache 2.0.61 w/ ModSecurity 2.1.3.
Gratefully,
Nick
On Fri, Oct 24, 2008 at 3:09 AM, Ivan Ristic <iva...@gm...> wrote:
> It's been a while since I used the guardian log, so I had to look into
> the source code for clues. While this facility is separate from
> everything else ModSecurity does (and that's why whitelisting as per
> FAQ does not work), there appears to be one undocumented parameter to
> the SecGuardianLog directive. Here's an (untested) example of its
> usage:
>
> SecGuardianLog "|/path/to/your/script" env=!flag
>
> The optional parameter is about an environment flag you can set to
> prevent a transaction from going to the guardian log. The exclamation
> mark is optional. This feature was designed to allow for integration
> with other modules, but it can be used to integrate with ModSecurity
> itself.
>
> To answer your question, if there's a transaction you don't want to
> log simply create a flag ("flag" in the above example) using the
> setenv action in ModSecurity.
>
>
> On Thu, Oct 23, 2008 at 4:38 PM, Nicholas Schuetz
> <mod...@th...> wrote:
>> Can anyone help me with bypassing SecGuardianLog? I want to whitelist
>> certain REMOTE_ADDR's and REQUEST_HEADERS_NAMES. I do not want them
>> to be processed by httpd-guardian at all. I've tried using this
>> example
>>
>> http://www.modsecurity.org/documentation/faq.html#d0e400
>>
>> but I still see the ip going into the /tmp/httpd-guardian.state. On
>> the Freenode IRC channel #modsecurity It's been suggested that I could
>> use skip to do this but I don't quite know how to implement that. If
>> someone could give me an example and or add this to the FAQ's that
>> would be wonderful. Any help at all would be appreciated.
>>
>>
>> Regards,
>>
>> Nick
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>
>
>
>
> --
> Ivan Ristic
>
|