Re: [mod-security-users] SecRuleRemoveById and SecAction problem
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2009-01-26 20:34:55
|
The SecAction should have had an ID so you could disable it with the rest of the block. You can use SecRuleUpdateActionById on the skipAfter target rules instead of removing them. Something like this to prevent them from doing anything, but still keeping the ID around for the skipAfter target: SecRuleUpdateActionById 959007 "pass,nolog" SecRuleUpdateActionById 969007 "pass,nolog" Then SecRuleRemoveById the other rules. -B Ofer Shezaf wrote: > Hi Andreas, > > This is a limitation of the skipAfter action. To address it we added the > SecMarker directive, but this was never added to the rules. I can't think of > a work around sans changing the core rule files. Does anyone else have an > idea? > > ~ Ofer > > Ofer Shezaf [sh...@xi..., +972-54-4431119, www.xiom.com] > > Founder, Xiom.com, Proactive Web Application Security, http://www.xiom.com > Chairman, OWASP Israel > Leader, WASC Web Hacking Incidents Database Project > > -----Original Message----- > From: Andreas Niemann [mailto:And...@gm...] > Sent: Saturday, January 24, 2009 2:20 PM > To: mod...@li... > Subject: [mod-security-users] SecRuleRemoveById and SecAction problem > > Hi, > > i am trying to disable some rules depending on a location match. The > location match looks like this: > > <LocationMatch "/test.html"> > SecRuleRemoveById "950000-959999" > </LocationMatch> > > and this is a part of the rules: > > SecRule ARGS "not" "phase:2,pass,skip:1" > SecAction phase:2,pass,nolog,skipAfter:959007 > SecRule ARGS "not" "phase:2,pass,id:'950007'" > SecRule ARGS "not" "phase:2,pass,id:'959007'" > > SecRule ARGS "not" "phase:2,pass,skip:1" > SecAction phase:2,pass,nolog,skipAfter:969007 > SecRule ARGS "not" "phase:2,pass,id:'960007'" > SecRule ARGS "not" "phase:2,pass,id:'969007'" > > The SecRuleRemoveById should disable the first block of rules, but calling > "test.html" results in ignoring all rules. > > Here is the debug log: > > [24/Jan/2009:13:09:21 +0100] > [127.0.0.1/sid#b7f50fa0][rid#b81a29b0][/test.html][4] Warning. Unconditional > match in SecAction. [file > "/etc/apache2/conf.d/modsecurity_crs_40_generic_attacks.conf"] [line "2"] > [24/Jan/2009:13:09:21 +0100] > [127.0.0.1/sid#b7f50fa0][rid#b81a29b0][/test.html][4] Rule returned 1. > [24/Jan/2009:13:09:21 +0100] > [127.0.0.1/sid#b7f50fa0][rid#b81a29b0][/test.html][9] Skipping after rule > b807ac98 id="959007" -> mode SKIP_RULES. > [24/Jan/2009:13:09:21 +0100] > [127.0.0.1/sid#b7f50fa0][rid#b81a29b0][/test.html][9] Skipping rule b807bc20 > id="(none)" until after id="959007" > [24/Jan/2009:13:09:21 +0100] > [127.0.0.1/sid#b7f50fa0][rid#b81a29b0][/test.html][9] Skipping rule b807c0b8 > id="(none)" until after id="959007" > [24/Jan/2009:13:09:21 +0100] > [127.0.0.1/sid#b7f50fa0][rid#b81a29b0][/test.html][9] Skipping rule b807c5b8 > id="960007" until after id="959007" > [24/Jan/2009:13:09:21 +0100] > [127.0.0.1/sid#b7f50fa0][rid#b81a29b0][/test.html][9] Skipping rule b8080af0 > id="969007" until after id="959007" > [24/Jan/2009:13:09:21 +0100] > [127.0.0.1/sid#b7f50fa0][rid#b81a29b0][/test.html][9] Skipping rule b8080e58 > id="969007" until after id="959007" > > The two rules after the first SecAction have no rule id because they are > correctly marked as removed. But the "skipAfter" from the SecAction is still > executed and does not find the target rule. > > What is the correct way to disable such a block of rules (i.e. part of the > core rules)? > > Thanks for help, > Andreas Niemann > -- > NUR NOCH BIS 31.01.! GMX FreeDSL - Telefonanschluss + DSL > für nur 16,37 EURO/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a > > ---------------------------------------------------------------------------- > -- > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html -- Brian Rectanus Breach Security |